Published on June 1, 2026
Windows Netlogon 0-Click RCE Flaw Exploited in the Wild
Severity
Critical
Detail
A critical vulnerability has been identified in Microsoft Windows Netlogon, affecting Windows Server domain controllers. The flaw, tracked as CVE-2026-41089, is a zero-click remote code execution (RCE) vulnerability that allows an unauthenticated attacker to execute arbitrary code with SYSTEM-level privileges by sending specially crafted Netlogon network requests. The vulnerability poses a significant risk to organizations relying on Active Directory environments as it can be exploited without user interaction, authentication, or local access.
The vulnerability resides in the way the Netlogon service processes specially crafted network traffic. Successful exploitation enables attackers to gain full control of a domain controller, potentially leading to complete domain compromise. Microsoft addressed the flaw as part of its May 2026 Patch Tuesday release however, security researchers and the Center for Cybersecurity Belgium (CCB) have confirmed that the vulnerability is already being actively exploited in the wild.
Given the critical role of domain controllers in managing authentication, authorization, and access control across enterprise environments, exploitation of this vulnerability could allow attackers to deploy malware or ransomware through Group Policy, create privileged accounts, disable security controls, move laterally across networks, and access sensitive systems connected to Active Directory.
| CVE ID | Summary | CVSS Score |
| CVE-2026-41089 | Improper handling of specially crafted Netlogon network requests allows an unauthenticated attacker to achieve remote code execution with SYSTEM-level privileges on Windows domain controllers. | 9.9 (Critical) |
Affected Products
The vulnerability affects the following systems:
- Microsoft Windows Server 2012 and later versions configured as Active Directory Domain Controllers.
- Systems running the Netlogon service exposed to reachable network segments.
- Enterprise and hybrid Active Directory environments utilizing affected Windows Server versions.
Recommendation
Organizations are strongly advised to take the following actions to mitigate the risk of exploitation and reduce potential impact:
- Apply Microsoft’s May 2026 security updates immediately to all affected Windows Server domain controllers.
- Prioritize patching internet-facing and high-value domain controllers to reduce exposure.
- Monitor for suspicious Netlogon-related activity, unusual authentication events, and abnormal domain controller traffic.
- Review privileged account creation, group membership changes, and unexpected administrative activity.
- Strengthen network segmentation to restrict access to domain controllers and Netlogon services.
- Ensure domain controllers are not directly exposed to the internet and limit access to Netlogon services to trusted systems only.