The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks.
Netlogon is a remote procedure call (RPC) interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks.
Microsoft patched this vulnerability (CVE-2026-41089) during the May 2026 Patch Tuesday, describing it as a stack-based buffer overflow in Windows Netlogon that allows attackers without privileges to gain remote code execution on targeted domain controllers.
"An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller," it said. "If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access."
CVE-2026-41089 impacts all currently supported Windows Server versions, including the latest release, Windows Server 2025.
According to a security advisory published by the company on May 12, the vulnerability was discovered by Windows Attack Research & Protection (WARP), an internal offensive cybersecurity and engineering research team at Microsoft.
On Friday, Belgium's national cybersecurity authority (CCB) warned that attackers are now actively exploiting the CVE-2026-41089 security flaw in the wild and urged admins to immediately patch vulnerable servers.
"CVE-2026-41089 in #Windows #Netlogon is now actively #exploited in the wild and could lead to #RCE. CVSS(3.1): 9.8," the CBC warned in a Friday tweet. "Patch as quickly as possible."
CVE-2026-41089 active exploitation alert (CCB)
However, the CCB didn't provide further details on these ongoing attacks and didn't respond to a BleepingComputer request for more information.
Microsoft has yet to update its advisory, and a company spokesperson didn't reply to an email from BleepingComputer requesting confirmation that CVE-2026-41089 is now actively exploited.
Two weeks ago, Microsoft shared mitigation measures for YellowKey (CVE-2026-45585), a Windows BitLocker zero-day vulnerability that grants access to protected drives, described as a backdoor by anonymous security researcher 'Nightmare Eclipse,' who also disclosed it and published a proof-of-concept (PoC) exploit.
Initially, Microsoft has reacted to Nightmare Eclipse with thinly veiled threats of legal action, followed by a tweet saying that the company "will work with law enforcement as appropriate" when "an individual breaks the law and engages in malicious activity causing real harm to our customers."
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
