CVE-2026-41089: Actively exploited critical zero-click RCE flaw in Windows Netlogon

02 Jun 2026

A critical zero-click vulnerability has been discovered in Microsoft Windows’ Netlogon service that unauthorized attackers are exploiting to execute arbitrary code remotely against vulnerable Domain Controllers.

 

An attacker can send a specially crafted network request to a vulnerable Domain Controller and trigger remote code execution without requiring authentication, valid credentials, or user interaction.

 

Recent reports indicate that exploitation activity has been observed in the wild, significantly increasing the urgency for organizations to patch affected systems immediately.

About the vulnerability

Vendor + Component 

CVE Identifier 

Versions/products affected 

Severity  

About 

Microsoft Windows Server + 

Windows Netlogon Service (MS-NRPC) 

Active Directory Domain Controllers 

CVE-2026-41089 

  • Windows Server 2012 
  • Windows Server 2016 
  • Windows Server 2019 
  • Windows Server 2022 
  • Windows Server 2025 

 

9.8 (Critical) 

The vulnerability is a stack-based buffer overflow within the Netlogon Remote Protocol (MS-NRPC).  

What can attackers do with the vulnerability?

The vulnerability is considered particularly dangerous because Netlogon is a core authentication component within Active Directory environments. Successful exploitation could allow attackers to:

 

  • Execute arbitrary code remotely without authentication
  • Exploit vulnerable Domain Controllers over the network
  • Gain SYSTEM-level privileges
  • Compromise Active Directory environments
  • Manipulate machine accounts and authentication mechanisms
  • Move laterally across enterprise networks
  • Deploy ransomware and malware payloads
  • Establish persistence within critical infrastructure

What can organizations do? SharkStriker’s recommendations

SharkStriker SOC team has:

  • Validated relevant threat intelligence
  • Carried out exposure analysis for affected environments
  • Prepared and sent security advisory
  • Tailored rules to detect Netlogon exploitation attempts
  • Initiated active threat hunting and
  • Commenced monitoring for Domain Controller abuse and
  • Configured alerting mechanisms for suspicious MS-NRPC activity

 

SharkStriker’s recommendations

  • Patch all Domain Controllers immediately
  • Prioritize internet-exposed and critical authentication systems
  • Conduct Active Directory compromise assessments
  • Monitor for indicators of Netlogon exploitation
  • Review privileged account activity
  • Implement strict network segmentation
  • Conduct enterprise-wide vulnerability scanning

 

Official advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089

Get in Touch With us

We have explored what risk tolerance and risk appetite are and how important they are together in helping businesses align cybersecurity with their business goals. It can help CISOs, and C-suite make informed investment decisions for cybersecurity.

LEARN MORE