CVE-2026-41089: Windows Netlogon Pre-Auth RCE, CVSS 9.8

This week in our InSEKurity of the Week series: a critical stack-based buffer overflow in Windows Netlogon that lets an unauthenticated remote attacker execute code with SYSTEM privileges on a Windows domain controller — no credentials, no user interaction, just a specially crafted network request. Microsoft shipped the fix in the May 12, 2026 Patch Tuesday rollup, but it was not weaponized at release. That changed at the end of May: Belgium’s national cybersecurity authority (CCB) and multiple vendors confirmed active exploitation in the wild, and a flaw in the Netlogon Remote Protocol that grants instant domain-controller takeover sits squarely in the lineage of Zerologon. If you run Active Directory — and almost every enterprise does — patching your domain controllers is the single most important thing on your queue this week.

🚨 Summary

CVE ID: CVE-2026-41089
CVSS 3.1 Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121 (Stack-based Buffer Overflow)
Affected Software: Windows Netlogon (netlogon.dll) on Windows Server acting as a domain controller — Windows Server 2012, 2012 R2, 2016, 2019, 2022, 23H2, and 2025 (including Server Core)
Attack Vector: Network (remote, unauthenticated) — crafted Netlogon Remote Protocol (MS-NRPC) request to a domain controller
Authentication Required: None
User Interaction: None
Impact: Remote code execution as SYSTEM on the domain controller — full Active Directory compromise
Patch Status: ✅ Available (Microsoft, May 12, 2026 Patch Tuesday)
Published: May 12, 2026 (NVD / MSRC)
Exploitation Status: Active exploitation in the wild confirmed in late May 2026 (Belgium CCB warning); not a zero-day at patch time
CISA KEV: Not listed at time of writing (2026-06-02); active exploitation already reported by a national CERT

🖥️ What is Windows Netlogon?

Netlogon is the Windows component responsible for authenticating users and machines against Active Directory and for maintaining the secure channel between domain members and domain controllers. It is implemented as a service (Netlogon, hosted in netlogon.dll) and is reachable through the Netlogon Remote Protocol (MS-NRPC), an RPC interface exposed by every domain controller. Netlogon handles machine-account password changes, NTLM pass-through authentication, DC locator queries, and the establishment of the secure channel that underpins trust inside a domain.

Because Netlogon is a core authentication primitive, it is always listening on every domain controller. The MS-NRPC interface is reachable over RPC — both via the \PIPE\NETLOGON named pipe over SMB (TCP/445) and via dynamically assigned RPC ports brokered by the endpoint mapper (TCP/135). There is no “turn it off” option: a functioning Active Directory domain requires Netlogon to be available to every member host. This is exactly what made the 2020 Zerologon flaw (CVE-2020-1472) so devastating, and CVE-2026-41089 lands in the same protocol.

Typical Use Cases

Machine authentication: domain-joined computers use Netlogon’s secure channel to authenticate to the domain and rotate their machine-account passwords.
NTLM pass-through authentication: member servers forward NTLM authentication requests to a domain controller via Netlogon.
DC locator: clients query Netlogon to find the nearest available domain controller.
Trust relationships: cross-domain and cross-forest trusts rely on Netlogon secure channels between domain controllers.
Group Policy and logon processing: interactive and network logons across the domain depend on Netlogon being healthy.

Because Netlogon is mandatory on every domain controller and reachable from every domain member, the attack surface is every Active Directory environment on the planet that has not patched.

🔍 Technical Analysis

Vulnerability Description

CVE-2026-41089 is a stack-based buffer overflow (CWE-121) in the Windows Netlogon service. According to Microsoft, an unauthenticated attacker can send a specially crafted Netlogon Remote Protocol request to a Windows server acting as a domain controller, causing Netlogon to mishandle the request and execute attacker-controlled code in the context of the service — which runs as SYSTEM.

The decisive property is that the vulnerable code path is reachable before authentication completes. MS-NRPC exposes operations that a caller can invoke prior to establishing a fully authenticated secure channel (for example, the challenge / negotiation exchange used to bootstrap that channel). The overflow occurs while the service parses an attacker-controlled field in one of these early-stage requests, so no valid domain credentials are required to reach the bug.

Root Cause Analysis

Unbounded copy into a fixed-size stack buffer in the Netlogon request-parsing path: an attacker-controlled length or field from the MS-NRPC request is copied into a stack buffer without a proper bounds check (CWE-121).
Pre-authentication reachability: the affected handler runs during the early Netlogon negotiation, before the secure channel is authenticated, so the attacker does not need credentials.
Service runs as SYSTEM: Netlogon executes in a highly privileged context on the domain controller, so memory corruption translates directly into SYSTEM-level code execution rather than a constrained service identity.
Network-reachable RPC interface: MS-NRPC is exposed over the \PIPE\NETLOGON named pipe (SMB, TCP/445) and over endpoint-mapper-brokered RPC (TCP/135), both of which are open on every domain controller by design.
No user interaction and low complexity: the request can be delivered directly over the network without any victim action, which is reflected in the CVSS AC:L / UI:N / PR:N metrics.
Shared component across all Windows Server releases: the same Netlogon implementation ships across Server 2012 through 2025, so the entire supported domain-controller fleet is in scope.

Attack Vector

A typical exploitation flow looks like this:

# Step 1: Enumerate domain controllers in the target environment.
# DCs expose the Netlogon RPC interface; the RPC endpoint mapper on
# TCP/135 and SMB on TCP/445 are the relevant entry points.
nmap -p 135,445 --open -oG dc-candidates.gnmap 10.0.0.0/24

# Confirm the host is a domain controller by querying the endpoint
# mapper for the Netlogon (MS-NRPC) interface UUID.
impacket-rpcdump '10.0.0.10' | grep -i -A2 "MS-NRPC\|netlogon\|12345678-1234-abcd"

# Step 2: Bind to the Netlogon RPC interface over the \PIPE\NETLOGON
# named pipe (no authentication required for the early negotiation
# exchange). This is the same transport Zerologon abused.
python3 - <<'PY'
# Illustrative only -- this does NOT trigger CVE-2026-41089. It shows
# how an unauthenticated client reaches the MS-NRPC interface that
# contains the vulnerable parser.
from impacket.dcerpc.v5 import transport, nrpc

dc_ip   = "10.0.0.10"
dc_name = "DC01"

# Connect over SMB null session to the \PIPE\NETLOGON endpoint.
binding = rf"ncacn_np:{dc_ip}[\PIPE\NETLOGON]"
rpc = transport.DCERPCTransportFactory(binding)
dce = rpc.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)   # bind succeeds pre-auth

# A real exploit would now send a crafted negotiation request whose
# over-long field overflows the fixed stack buffer in netlogon.dll.
print("[+] Bound to MS-NRPC on", dc_name, "- pre-auth reachable")
PY

# Step 3: On a successful overflow, control of the stack lands the
# attacker in SYSTEM context on the DC. Stage a payload and catch the
# resulting SYSTEM shell / C2 beacon.
nc -nvlp 4444

The snippet above is illustrative only — it reaches the MS-NRPC interface but does not trigger CVE-2026-41089. The actual flaw is in the parsing of a crafted Netlogon request; any functionally equivalent request that overflows the vulnerable stack buffer can reach the bug.

A simplified protocol-level view of the attack:

Attacker                                       Victim (Windows Domain Controller)
   |                                                        |
   |  RPC bind to MS-NRPC (\PIPE\NETLOGON over TCP/445)     |
   |------------------------------------------------------->|  no auth required
   |                                                        |  for early negotiation
   |  crafted Netlogon request, over-long field             |
   |------------------------------------------------------->|  netlogon.dll copies
   |                                                        |  field into a fixed
   |                                                        |  stack buffer w/o
   |                                                        |  bounds check
   |                                                        |  => stack overflow
   |                                                        |
   |<-- SYSTEM shellcode / C2 beacon ----------------------<|  control of return
   |                                                        |  address -> SYSTEM RCE
   v                                                        v

Exploitation in the Wild

2026-05-12 — Microsoft ships the fix in the May 2026 Patch Tuesday rollup. At release, the bug is not publicly known or under active attack; it was found internally by Microsoft’s Windows Attack Research & Protection (WARP) team.
2026-05-13 onward — Vendors (BleepingComputer, The Hacker News, Rapid7, Action1) flag CVE-2026-41089 as the top-priority item of the May release, alongside the equally critical Windows DNS RCE (CVE-2026-41096, also CVSS 9.8).
Late May 2026 (CW22) — Belgium’s Centre for Cybersecurity (CCB) issues a dedicated warning that attackers are actively exploiting CVE-2026-41089 in the wild and urges administrators to patch domain controllers immediately.
2026-06-02 — At the time of writing, exploitation is confirmed by a national CERT; the CVE is not yet listed in the CISA KEV catalog but should be treated as actively exploited.

Post-Exploitation Impact

SYSTEM on a domain controller: a successful exploit is the highest-value foothold in a Windows environment — the attacker controls the authority that issues every Kerberos ticket and validates every logon.
Full Active Directory compromise: from SYSTEM on a DC, an attacker can read the ntds.dit database, perform DCSync to extract every account’s credentials (including krbtgt), and forge Golden Tickets.
Domain-wide persistence: with the krbtgt hash, the attacker can mint Kerberos tickets for any identity at will, surviving password resets of individual users.
Lateral movement everywhere: domain-admin-equivalent control means trivial movement to every member server and workstation in the domain (and across trusts).
Defense evasion: SYSTEM on a DC enables tampering with audit policy, Group Policy, and security tooling pushed from the domain.
Denial of service: even failed exploitation attempts are likely to crash the Netlogon service or bugcheck the DC, disrupting authentication domain-wide.

⚠️ Impact Assessment

Immediate Impact

Pre-auth, network-reachable, CVSS 9.8: no credentials, no user interaction — the attacker only needs network access to a domain controller.
SYSTEM RCE on a DC = game over: this is not a foothold that requires a separate privilege-escalation step; it is direct control of the identity tier of the network.
Massive footprint: every supported Windows Server release running as a domain controller ships the vulnerable Netlogon code.
Zerologon lineage: MS-NRPC has produced catastrophic, mass-exploited bugs before; defenders should assume rapid weaponization and scanning.
The patch is the only durable fix: there is no supported way to disable Netlogon on a domain controller.

Affected Versions

Platform	Vulnerable	Fixed In
Windows Server 2025 (Domain Controller)	All pre-May 2026 builds	May 2026 Cumulative Update
Windows Server 2022 / 23H2 (incl. Server Core)	All pre-May 2026 builds	May 2026 Cumulative Update
Windows Server 2019	All pre-May 2026 builds	May 2026 Cumulative Update
Windows Server 2016	All pre-May 2026 builds	May 2026 Cumulative Update
Windows Server 2012 / 2012 R2 (ESU)	All pre-May 2026 builds	May 2026 Monthly Rollup (ESU)

The vulnerable code path is only exploitable on servers running the domain controller role (where the Netlogon RPC server is exposed). Microsoft’s advisory is the authoritative source for the exact KB article and build number per product; always cross-reference MSRC CVE-2026-41089 before deploying.

Affected Environments

Every Active Directory domain: any environment with one or more Windows domain controllers that have not applied the May 2026 (or later) cumulative update.
Hybrid AD / Entra-joined estates: on-premises domain controllers remain in scope even where cloud identity is also in use.
Multi-forest and trust topologies: DC-to-DC Netlogon secure channels expand the reachable surface across trusts.
Internet-exposed DCs (rare but real): any domain controller reachable from untrusted networks on TCP/135 or TCP/445 is at immediate, severe risk.
MSP / managed AD: shared infrastructure amplifies the blast radius across multiple customer domains.

Attacker Profiles

Ransomware operators: domain-controller SYSTEM is the prize that precedes mass encryption; this CVE is a direct shortcut to it.
Initial-access brokers: a reliable pre-auth DC RCE is among the most valuable accesses sold on criminal markets.
APT groups: stealthy, credential-rich control of the identity tier enables long-dwell espionage and supply-chain pivoting.
Internal attackers: any actor with internal network reach to a DC (a compromised workstation, a rogue insider) can escalate straight to domain dominance.
Opportunistic scanners: once a public PoC drops, internet- and internal-facing DCs will be swept en masse.

🛡️ Mitigation Strategies

Immediate Actions (Priority 1) ⚡

Apply the May 2026 Cumulative Update to every domain controller first, then all Windows Servers:

# Run as Administrator on each DC - inventory the current build and
# install pending updates non-interactively. DCs are tier-0 assets:
# patch them ahead of everything else.
Get-ComputerInfo | Select-Object OsName, OsVersion, OsBuildNumber

# Requires the PSWindowsUpdate module:
#   Install-Module PSWindowsUpdate -Force
Import-Module PSWindowsUpdate
Get-WindowsUpdate -MicrosoftUpdate -Install -AcceptAll `
    -IgnoreReboot -Verbose

Confirm netlogon.dll has been patched by checking its file version against Microsoft’s advisory build:

# netlogon.dll lives in %SystemRoot%\System32. The May 2026 update
# bumps its FileVersion - compare against the build listed in MSRC
# for your specific Windows Server release.
Get-Item C:\Windows\System32\netlogon.dll |
    Select-Object Name, VersionInfo

Restrict RPC reachability to domain controllers to trusted management and member subnets while patches roll out:

# Emergency stop-gap: limit inbound TCP/135 (RPC endpoint mapper) and
# TCP/445 (SMB / \PIPE\NETLOGON) on DCs to known-good source ranges.
# Domain members legitimately need Netlogon, so scope carefully to
# your client/server subnets - do NOT block them outright.
New-NetFirewallRule -DisplayName "Restrict DC RPC (CVE-2026-41089)" `
    -Direction Inbound -Action Allow -Protocol TCP `
    -LocalPort 135,445 -RemoteAddress 10.0.0.0/8 -Profile Domain

New-NetFirewallRule -DisplayName "Block external DC RPC (CVE-2026-41089)" `
    -Direction Inbound -Action Block -Protocol TCP `
    -LocalPort 135,445 -Profile Any

Ensure no domain controller is reachable from the internet on TCP/135 or TCP/445:

# From an external vantage point, confirm DC RPC/SMB ports are NOT
# exposed. Any open result here is a critical, immediate finding.
nmap -Pn -p 135,445 <public_ip_or_range>

Reboot and verify: the cumulative update only takes effect after installation completes and the DC is rebooted. Patch and reboot DCs in a sequence that preserves authentication availability.

Detection Measures 🔍

No Microsoft-published IoCs exist at the time of writing. Hunt for the symptoms of exploitation: Netlogon service crashes, unexpected SYSTEM activity on DCs, and anomalous RPC/Netlogon traffic.

# Look for Netlogon service crashes / restarts - a failed overflow
# attempt frequently crashes the service before it succeeds.
Get-WinEvent -FilterHashtable @{
    LogName      = 'System'
    ProviderName = 'Service Control Manager'
} -MaxEvents 500 |
    Where-Object { $_.Message -match 'Netlogon' } |
    Select-Object TimeCreated, Id, Message

# Application crash (Event ID 1000) referencing netlogon.dll or lsass
# - review faulting module and offsets for signs of memory corruption.
Get-WinEvent -FilterHashtable @{
    LogName      = 'Application'
    ProviderName = 'Application Error'
    Id           = 1000
} -MaxEvents 200 |
    Where-Object { $_.Message -match 'netlogon|lsass' } |
    Select-Object TimeCreated, Id, Message

# Netlogon operational log - surges of failed secure-channel
# negotiations from unexpected source hosts can precede exploitation.
Get-WinEvent -LogName 'System' -MaxEvents 500 |
    Where-Object { $_.ProviderName -eq 'NETLOGON' } |
    Select-Object TimeCreated, Id, Message

EDR / Sysmon hunting:

# Hunt on domain controllers specifically:
#   - Unexpected child processes of lsass.exe / services hosting
#     Netlogon, or new SYSTEM processes spawned without a clear parent.
#   - New service or driver installs on DCs outside maintenance
#     windows (Sysmon Event ID 6 / 13).
#   - DCSync-style replication requests (DRSUAPI GetNCChanges) from
#     hosts that are NOT domain controllers - a classic post-exploit
#     credential-theft signature.

Network-side hunting:

Alert on inbound TCP/135 and TCP/445 to domain controllers from hosts that are not legitimate domain members or management stations.
Alert on anomalous MS-NRPC (Netlogon) RPC volume or malformed Netlogon requests where IDS/IPS coverage exists.
Watch for replication (DRSUAPI) traffic originating from non-DC hosts — a strong indicator of post-exploitation DCSync.
Deploy vendor IDS/IPS signatures for CVE-2026-41089 as they become available (Snort/Suricata, plus firewall vendor coverage).

Long-term Security Improvements

Tier-0 patch SLAs: domain controllers and other identity-tier systems deserve a 24-72h critical-CVE SLA, not the default monthly cadence.
Segment and shield DCs: restrict which networks can reach DC RPC/SMB ports; no domain controller should ever be internet-reachable.
Monitor MS-NRPC as a crown-jewel protocol: after Zerologon, Netlogon deserves dedicated detection content and baselining.
Enforce DCSync detection: alert on replication requests from non-DC principals; this catches the most common post-exploitation step.
Assume-breach for the identity tier: rehearse incident response for a compromised DC, including krbtgt double-reset procedures and forest-recovery playbooks.
Continuous AD attack-path assessment: know which hosts can reach DCs and which identities could pivot to tier-0 if a single server falls.

🎯 Why is this Critical?

Pre-auth SYSTEM RCE on a domain controller: the highest-impact outcome a single network bug can produce in a Windows environment.
No prerequisites: no credentials, no user interaction, low attack complexity — just network access to a DC.
Active exploitation confirmed: a national CERT (Belgium CCB) has warned that attackers are exploiting it in the wild, while many estates are still unpatched.
Zerologon lineage: MS-NRPC has produced mass-exploited, headline-grade bugs before; defenders should expect rapid commoditization.
Universal footprint: every supported Windows Server release running as a DC is affected — this is not a niche configuration.
Direct path to ransomware and full compromise: DC SYSTEM is exactly the access ransomware affiliates and APTs need to own the entire domain.
The patch is the only durable answer: Netlogon cannot be disabled on a DC; segmentation and monitoring are stop-gaps, not fixes.

🚀 Timeline and Disclosure

2026-05-12 — Microsoft publishes CVE-2026-41089 in the May 2026 Patch Tuesday release; the bug was found internally by Microsoft’s WARP team and was not under active attack at release.
2026-05-12 — NVD / MSRC publish the CVSS 3.1 assessment: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
2026-05-13 onward — Security press and vendors flag it as the top item of the May release, alongside the Windows DNS RCE (CVE-2026-41096, also CVSS 9.8).
Late May 2026 (CW22) — Belgium’s Centre for Cybersecurity (CCB) warns of active exploitation in the wild and urges immediate patching of domain controllers.
2026-06-02 — Exploitation confirmed by a national CERT; CVE not yet listed in the CISA KEV catalog at the time of writing.

🔗 Resources and References

CVE: CVE-2026-41089
NVD: NVD — CVE-2026-41089
MSRC Advisory: Microsoft Security Update Guide — CVE-2026-41089
CWE: CWE-121: Stack-based Buffer Overflow
CISA KEV Catalog: Known Exploited Vulnerabilities

💼 SEKurity Supports You

Vulnerabilities like CVE-2026-41089 are a reminder that the identity tier — Active Directory and the domain controllers that run it — is the real crown jewel of a Windows estate. A single unauthenticated bug in Netlogon collapses the distance between “an attacker on your network” and “an attacker who owns your entire domain.” We help organizations measure their real exposure, validate that domain controllers are genuinely patched, and stress-test whether a tier-0 compromise would be detected before it became a domain-wide incident. Our Active Directory penetration testing maps the attack paths that turn a single foothold into total domain control — exactly the chain this CVE shortcuts.

Our Services

Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
Security Awareness: Phishing campaigns, hacking demonstrations

Act now — before attackers do.

Contact:

🌐 Website: www.sekurity.de

📧 Inquiries: www.sekurity.de/kontakt

📱 LinkedIn: SEKurity GmbH

Your SEKurity Team — Your Trusted Adversaries

The security of your Active Directory is our drive.

InSEKurity of the Week (CW22/2026): Windows Netlogon Pre-Auth RCE on Domain Controllers (CVE-2026-41089)