Belgium Says Critical Windows Netlogon Flaw Is Being Actively Exploited

Overview

• Belgium’s national cybersecurity agency, the Centre for Cybersecurity Belgium (CCB), warned this week that CVE-2026-41089 is being exploited in the wild and urged administrators to patch domain controllers immediately.
• The vulnerability is a stack-based buffer overflow in the Netlogon service that can be triggered by a specially crafted network request, allowing attackers to execute code on a domain controller without signing in.
• Microsoft patched the flaw across supported Windows Server releases on Patch Tuesday, May 12, 2026, but the company had not publicly confirmed active exploitation when CCB issued its alert.
• Security guidance for administrators includes applying Microsoft patches or third-party micropatches for legacy servers, updating all domain controllers in the same maintenance window, restricting Netlogon traffic at the network layer, and monitoring for Netlogon crashes or unusual authentication traffic.
• Netlogon handles core domain authentication, so a compromised domain controller can let attackers move across a network quickly; rapid public analyses, proof-of-concept work, and automated tools have shortened the time between patch release and active attacks.