← All Posts

CVE-2026-41089: Windows Netlogon RCE Enables Unauthenticated Domain Controller Takeover

What Is Happening

CVE-2026-41089 is a critical stack-based buffer overflow in the Windows Netlogon service that allows an unauthenticated attacker to execute arbitrary code on a domain controller with SYSTEM-level privileges. No credentials, no user interaction, no prior foothold required. An attacker sends a specially crafted RPC request across the network and achieves full code execution on the most sensitive server in a Windows environment. Microsoft patched this vulnerability on May 12, 2026 as part of Patch Tuesday. As of June 1, 2026, it is actively exploited in the wild. The CVSS score is 9.8.

Netlogon is the Windows service that manages authentication and trust relationships within a domain. It is always network-accessible from inside the perimeter and often reachable from adjacent network segments. A domain controller running unpatched Netlogon is exposed to any machine that can reach it over the network, which in most environments means every internal workstation, server, or compromised device. There is no authentication requirement and no need for any prior access to the target system.

The impact extends well beyond the targeted domain controller. Successful exploitation gives an attacker SYSTEM on the DC, from which full Active Directory compromise follows directly: credential extraction for every account in the domain, golden ticket creation, DCSync attacks, and forest-wide lateral movement. This is the kind of vulnerability that turns a single unpatched server into a complete environment takeover within hours of initial access.

Affected Versions

Windows Server VersionPatch KBStatus
Windows Server 2022KB5059529Patch available - apply immediately
Windows Server 2019KB5059521Patch available - apply immediately
Windows Server 2016KB5059535Patch available - apply immediately
Windows Server 2012 R2KB5059546Patch available - apply immediately
Windows Server 2012KB5059561Patch available - apply immediately

Every supported Windows Server version configured as a domain controller is affected. The patch is included in the May 2026 Patch Tuesday cumulative update. Verify installation status with: Get-HotFix -Id KB5059529 (substitute the correct KB for your OS version). A system that has applied the May 2026 or later cumulative update is protected.

Critical note on partial patching: If your environment has multiple domain controllers, all of them must be patched in the same maintenance window. An attacker targeting this vulnerability will enumerate domain controllers and shift to whichever ones remain unpatched. Patch all DCs together or accept that you have not meaningfully reduced your exposure.

What Being on an Affected Version Means

Any machine that can reach a domain controller over TCP port 135 (RPC endpoint mapper) or the dynamic RPC port range can attempt exploitation of CVE-2026-41089. In most corporate environments, this is every workstation and server on the internal network. An attacker who has achieved any initial access to your environment, through phishing, a compromised workstation, or any other vector, can pivot directly to domain controller compromise in a single step with no additional credentials required.

The blast radius from SYSTEM on a domain controller is total. An attacker at that level can dump the entire Active Directory database, extract credentials for every user and service account in the domain, create persistent golden ticket access that survives password resets, disable logging and EDR, and move laterally to every system joined to the domain. In small and mid-size professional services environments where the domain controller also serves as DNS, DHCP, or file server, the exposure is amplified further. A single unpatched DC is the highest-risk asset in a Windows environment, and this vulnerability makes it directly reachable from anywhere inside your perimeter.

Mitigation Steps

  1. Apply the May 2026 cumulative update to all domain controllers in the same maintenance window. This is the only complete fix. Verify with: Get-HotFix | Where-Object {$_.InstalledOn -gt (Get-Date).AddDays(-45)} | Select-Object HotFixID, InstalledOn. Partial patching is not acceptable for this vulnerability.
  1. Restrict RPC access to domain controllers at the network level. If DCs are reachable from workstation VLANs, consider restricting Netlogon RPC (TCP 135 and dynamic RPC ports 49152-65535) to management subnets and other DCs only. Workstations authenticate via Kerberos on port 88 and do not require direct RPC access to DCs in most configurations.
  1. Hunt for indicators of prior exploitation. Review domain controller Security Event Log for: Event ID 4624 (logon type 3) from unexpected sources during May-June 2026, Event ID 4769 (Kerberos service ticket) for unusual service accounts, Event ID 1102 (audit log cleared) as a post-exploitation artifact, and Event ID 4720 (new account created) for unauthorized accounts created during this window.
  1. Verify EDR coverage on all domain controllers. EDR is frequently excluded from aggressive behavioral monitoring on DCs to avoid false positives. Confirm your endpoint detection is deployed, active, and in prevention mode on every domain controller. An unmonitored DC makes post-exploitation activity invisible.
  1. Run an authenticated vulnerability scan against domain controllers. Authenticated scanning will confirm patch installation and surface additional exposures on these high-priority assets. Unauthenticated scans cannot confirm patch status or detect many critical DC misconfigurations.
  1. Enable Windows Defender Credential Guard if not already active. This does not prevent exploitation of CVE-2026-41089, but limits the value of post-exploitation credential harvesting from LSASS on the domain controller.

This is a P0 vulnerability with active exploitation confirmed. Every unpatched domain controller is a direct path to full environment compromise. Patch within 24 hours.

Concerned about your exposure?

Find out what's exploitable in your environment.

Request Free Assessment