Critical Windows Netlogon 0-Click RCE (CVE-2026-41089) Under Active Attack
securitymicrosoftwindows-servernetlogoncve-2026-41089
trending_upTrend: security

Critical Windows Netlogon 0-Click RCE (CVE-2026-41089) Under Active Attack

calendar_month June 1, 2026

Summary

A critical zero-click vulnerability in Windows Netlogon (CVE-2026-41089) is currently being actively exploited. This security flaw allows remote, unauthenticated attackers to execute malicious code on Windows domain controllers without any user interaction. Since Netlogon is a central component for authentication in Windows networks, this poses a massive risk to the entire infrastructure of organizations.

What happened?

The vulnerability CVE-2026-41089 has been identified as a stack-based buffer overflow in the Netlogon service. Reports from June 1, 2026, confirm that automated attacks against domain controllers have been observed on the internet. Attackers send specially crafted requests over the network to overflow the buffer and gain control over the process. Since the attack is “0-click,” no user needs to click a link or open a file.

Why it matters

Domain controllers are the heart of IT security in most companies. A successful attack on a domain controller means access to all user accounts, passwords, and permissions in the network. The fact that no login or interaction is required makes this gap extremely dangerous and enables rapid, worm-like spreading within the network.

Evidence

The National Vulnerability Database (NVD) has listed the vulnerability since May 12, 2026. Microsoft has published official security advisories, and security researchers from “Cybersecurity News” confirmed on June 1, 2026, that exploit code is being actively used in the wild. The attacks primarily target Windows Server instances that expose the Netlogon service to the internet or large internal networks.

Analysis

Technically, the problem lies in the insufficient validation of input data during the processing of RPC (Remote Procedure Call) requests by the Netlogon service. This is reminiscent of historical vulnerabilities like “Zerologon,” but is potentially more reliably exploitable due to the stack-based overflow. The speed at which it transitioned from discovery to active exploitation suggests sophisticated actors.

Practical Takeaways

  • Immediate Patching: Promptly install the security updates provided by Microsoft for all Windows Server systems, especially domain controllers.
  • Network Segmentation: Ensure that domain controllers are not directly accessible from the internet. RPC ports should be strictly monitored and restricted.
  • Monitoring: Check your event logs for unusual Netlogon activity or crashes of the LSASS process that could indicate exploit attempts.

Open Questions

  • How many organizations have already been successfully compromised?
  • Are there variants of the exploit that can bypass current EDR (Endpoint Detection and Response) solutions?
  • How effective are Microsoft’s temporary workarounds compared to a full patch?

Sources

  1. CVE-2026-41089 Detail - NVD
  2. Microsoft Update Guide - CVE-2026-41089
  3. Windows Netlogon RCE Exploited | Cybersecurity News
  4. CVE-2026-41089 - NMMapper