Skip to content

Windows Netlogon Zero-Day Actively Exploited

Check Point Research · Story 3 of 6

A critical vulnerability in Microsoft Windows Netlogon is being actively exploited in attacks against Windows Server domain controllers. Tracked as CVE-2026-41089 with a CVSS score of 9.8, the flaw is a stack-based buffer overflow that allows unauthenticated remote code execution through crafted network requests.

Successful exploitation grants attackers SYSTEM-level control over domain controllers, effectively giving them the keys to the entire Active Directory environment. From there, attackers can pivot to any system in the domain, harvest credentials, deploy ransomware, or establish long-term persistence.

The vulnerability affects Windows Server versions running as domain controllers. Microsoft addressed the issue in its May 2026 Patch Tuesday release, but exploitation accelerated through June as threat actors scanned for unpatched systems. Belgium's Centre for Cybersecurity issued an urgent alert, and Check Point Research confirmed active exploitation in their June 8 threat intelligence report.

What makes this particularly dangerous is the attack surface. Netlogon is a core authentication service in Windows environments. It runs on every domain controller and is accessible over the network. Unlike many vulnerabilities that require user interaction or complex attack chains, this one can be triggered by sending a single crafted request to an exposed domain controller.

Organisations that have not yet applied the May 2026 patches should treat this as an emergency. Security researchers at Tanium, Orca Security, and Rapid7 have all published detailed analyses urging immediate remediation. If you run Windows domain controllers and haven't patched since May, you are likely already compromised or will be soon.

Analysis
Live

This is a patch-now-or-get-breached scenario. Every security team running Windows infrastructure should verify their domain controllers received the May 2026 patch. The CVSS 9.8 rating combined with active exploitation and network-accessible attack surface makes this one of the most dangerous vulnerabilities of the year. If your incident response plan doesn't include immediate patching workflows for this class of bug, rebuild it.

Frequently Asked Questions
How do I check if my server is vulnerable?

Any Windows Server domain controller without the May 2026 Patch Tuesday update is vulnerable. Check your KB number against the Microsoft Security Update Guide.