RSS

Critical Windows Netlogon RCE flaw now exploited in attacks

Brajeshwar1 pts0 comments

Critical Windows Netlogon RCE flaw now exploited in attacks

Home<br>News<br>Microsoft<br>Critical Windows Netlogon RCE flaw now exploited in attacks

Critical Windows Netlogon RCE flaw now exploited in attacks

By Sergiu Gatlan

June 1, 2026

08:30 AM

The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks.

Netlogon is a remote procedure call (RPC) interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks.

Microsoft patched this vulnerability (CVE-2026-41089) during the May 2026 Patch Tuesday, describing it as a stack-based buffer overflow in Windows Netlogon that allows attackers without privileges to gain remote code execution on targeted domain controllers.

"An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller," it said. "If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access."

CVE-2026-41089 impacts all currently supported Windows Server versions, including the latest release, Windows Server 2025.

According to a security advisory published by the company on May 12, the vulnerability was discovered by Windows Attack Research & Protection (WARP), an internal offensive cybersecurity and engineering research team at Microsoft.

On Friday, Belgium's national cybersecurity authority (CCB) warned that attackers are now actively exploiting the CVE-2026-41089 security flaw in the wild and urged admins to immediately patch vulnerable servers.

"CVE-2026-41089 in #Windows #Netlogon is now actively #exploited in the wild and could lead to #RCE. CVSS(3.1): 9.8," the CBC warned in a Friday tweet. "Patch as quickly as possible."

CVE-2026-41089 active exploitation alert (CCB)

​However, the CCB didn't provide further details on these ongoing attacks and didn't respond to a BleepingComputer request for more information.

Microsoft has yet to update its advisory, and a company spokesperson didn't reply to an email from BleepingComputer requesting confirmation that CVE-2026-41089 is now actively exploited.

Two weeks ago, Microsoft shared mitigation measures for YellowKey (CVE-2026-45585), a Windows BitLocker zero-day vulnerability that grants access to protected drives, described as a backdoor by anonymous security researcher 'Nightmare Eclipse,' who also disclosed it and published a proof-of-concept (PoC) exploit.

Over the past several months, Nightmare Eclipse also disclosed the BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091) privilege escalation zero-day flaws (both now being exploited in attacks), the GreenPlasma and MiniPlasma zero-day privilege escalation flaws that provide SYSTEM privileges, and UnDefend (CVE-2026-45498), another zero-day that attackers with standard user permissions can exploit to block Microsoft Defender definition updates.

Initially, Microsoft has reacted to Nightmare Eclipse with thinly veiled threats of legal action, followed by a tweet saying that the company "will work with law enforcement as appropriate" when "an individual breaks the law and engages in malicious activity causing real harm to our customers."

For IT teams responsible for managing enterprise infrastructure, BleepingComputer is hosting a webinar on June 2 titled "From alert to resolution: Fixing the gaps in network incident response."

The webinar will explore how automation and intelligent workflows can help teams investigate alerts, coordinate response efforts, and accelerate resolution during network incidents and security events.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks<br>Microsoft: Domain Controller lookup may fail on Windows Server 2016<br>Recently leaked Windows zero-days now exploited in attacks<br>CISA gives feds four days to patch Ivanti flaw exploited as zero-day<br>Ivanti warns of new EPMM flaw exploited in zero-day attacks

Actively Exploited

Domain Controller

Netlogon

RCE

Remote Code Execution

Windows

Windows Server

Sergiu Gatlan

Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet?...

windows exploited netlogon attacks microsoft flaw

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.