www.it-connect.fr
Windows Server: CVE-2026-41089 Critical Netlogon Flaw Is Being Exploited
Belgium's Centre for Cybersecurity (CCB) has issued an alert about CVE-2026-41089, a vulnerability affecting the Netlogon service in Windows Server. This vulnerability is now being actively exploited in the wild. Here's how to protect yourself.
A critical flaw in Netlogon
Behind the CVE-2026-41089 reference is a critical security flaw discovered in Netlogon by an internal Microsoft team. It carries a CVSS 3.1 score of 9.8 out of 10 and allows remote code execution on a vulnerable server.
In fact, this security flaw affects Netlogon, a service found only on Windows Server and used in Active Directory environments for user authentication. It runs on domain controllers and Active Directory member servers.
The major issue with this vulnerability is that it allows remote code execution without authentication, meaning zero-click. "An attacker could send a specially crafted network request to a Windows server acting as a domain controller. If successful, this could cause the Netlogon service to process the request incorrectly, potentially allowing the attacker to run code on the affected system without having to log in or have any prior access.", Microsoft explains.
The good news: CVE-2026-41089 was patched on May 12, 2026, as part of the release of the May 2026 Patch Tuesday. Since its disclosure, Microsoft says it has not been exploited, yet a statement published by the CCB (Centre for Cybersecurity Belgium) says otherwise.
The CCB alert about CVE-2026-41089
On Friday, May 29, Belgium's Centre for Cybersecurity (CCB) published an alert to inform users that attackers were actively exploiting the CVE-2026-41089 flaw. The agency strongly urged system administrators to patch their vulnerable servers as quickly as possible in a warning message:
"This flaw is now actively exploited in the wild. Exploitation requires no prior privileges or user interaction and can be carried out remotely.", it read.
At this time, no additional details about these attacks have been disclosed. Microsoft has also not updated its security bulletin, but the situation could change quickly. This flaw is also not listed in CISA's KEV catalog, though that too could change at any moment.
To stay protected, there is only one solution: update Windows Server. All versions from Windows Server 2012 to Windows Server 2025 are affected, including Server Core installations. The cumulative updates released in May 2026 include a security patch for this vulnerability.
