The Center for Cybersecurity Belgium (CCB), the national cybersecurity authority, warned on Friday that threat actors are now using the newly registered Windows Netlogon vulnerability in attacks.
Netlogon is a remote procedure call (RPC) interface and backend service for Microsoft Windows Server that authenticates services and users on Windows domain-based networks.
Microsoft included this vulnerability (CVE-2026-41089) during the May 2026 Patch Tuesday, describing it as a stack-based buffer overflow in Windows Netlogon that allows attackers without privileges to obtain remote code execution on targeted domain controllers.
“An attacker can send a specially crafted network request to a Windows server acting as a domain controller,” it said. “If successful, this could cause the Netlogon service to handle the request improperly, which could allow an attacker to execute code on an affected system without requiring login or prior access.”
CVE-2026-41089 affects all currently supported versions of Windows Server, including the latest release, Windows Server 2025.
According to a security advisory published by the company on May 12, the vulnerability was discovered by Windows Attack Research & Protection (WARP), an internal cybersecurity attack and engineering research team at Microsoft.
On Friday, Belgium’s cybersecurity chief (CCB) warned that attackers are now exploiting the CVE-2026-41089 security flaw in the wild and urged administrators to patch vulnerable servers immediately.
“CVE-2026-41089 in #Windows #Netlogon is now #widespread in the wild and can lead to #RCE. CVSS(3.1): 9.8,” CBC warned in a Friday tweet. “Patch as soon as possible.”
However, CCB did not provide further details about this ongoing attack and did not respond to BleepingComputer’s request for more information.
Microsoft has yet to update its advisory, and a company spokesperson did not respond to an email from BleepingComputer seeking confirmation that CVE-2026-41089 is now being exploited.
Two weeks ago, Microsoft shared measures to mitigate YellowKey (CVE-2026-45585), a Windows BitLocker vulnerability that provides access to protected drives, described as the background of the anonymous security researcher ‘Nightmare Eclipse,’ who also exposed it and published a proof of concept (PoC) .
A few months ago, Nightmare Eclipse also exposed BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091) zero-day exploits (both now used in attacks), GreenPlasma and MiniPlasma for MiniPlasma and zero-day STEM exploits. UnDefend (CVE-2026-45498), another zero-day vulnerability that attackers with normal user permissions can use to block Microsoft Defender definition updates.
Initially, Microsoft responded to Nightmare Eclipse with thinly veiled threats of legal action, followed by a tweet saying the company would “work with law enforcement appropriately” when “someone breaks the law and does bad work that really hurts our customers.”
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls block threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
