"CVE-2026-41089 in #Windows #Netlogon is now actively #exploited in the wild and could lead to #RCE. CVSS(3.1): 9.8," the Centre for Cybersecurity Belgium (CCB) warned on Friday.
CVE-2026-41089: stack-based buffer overflow in Windows Netlogon
Microsoft patched CVE-2026-41089 during the May 2026 Patch Tuesday cycle, describing it as a stack-based buffer overflow in the Windows Netlogon service. The company said the bug allows "attackers without privileges to gain remote code execution on targeted domain controllers" by sending "a specially crafted network request to a Windows server that is acting as a domain controller." If exploited successfully, Microsoft wrote, the Netlogon service could "improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access."
Microsoft's advisory states the flaw impacts all currently supported Windows Server versions, explicitly including Windows Server 2025. The vulnerability was publicly assigned CVE-2026-41089 and, in the CCB tweet, carries a CVSS v3.1 score of 9.8.
Centre for Cybersecurity Belgium (CCB) says the flaw is being used in attacks
Belgium's national cybersecurity authority, the Centre for Cybersecurity Belgium (CCB), publicly warned that threat actors are now exploiting the patched Netlogon vulnerability in the wild and urged administrators to "Patch as quickly as possible." The CCB did not provide technical indicators or additional details about the ongoing attacks when BleepingComputer requested more information, the reporting notes.
The CCB warning represents an early, sovereign-centre confirmation that exploitation has moved from theory or lab proof-of-concept into operational use by attackers.
Microsoft disclosure: WARP discovery and advisory status
Microsoft announced on May 12 that the vulnerability was discovered by Windows Attack Research & Protection (WARP), an internal offensive cybersecurity and engineering research team. That disclosure accompanied the Patch Tuesday fixes for May 2026.
As of the reporting, Microsoft had not updated its advisory to reflect the CCB's claim of active exploitation, and a company spokesperson did not reply to an email from BleepingComputer requesting confirmation that CVE-2026-41089 is being actively exploited.
'Nightmare Eclipse' disclosures and a string of recent zero-days
The Netlogon alert arrives amid a series of high-profile zero-day disclosures attributed to an anonymous researcher using the handle "Nightmare Eclipse." Two weeks before the Netlogon patch, Microsoft had shared mitigation measures for YellowKey (CVE-2026-45585), a Windows BitLocker zero-day that "grants access to protected drives," which the researcher described as a backdoor and for which a proof-of-concept exploit was published.
Over recent months, the same researcher disclosed BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091) privilege escalation zero-days—both now described as being exploited in attacks—along with GreenPlasma and MiniPlasma zero-day privilege escalation flaws that provide SYSTEM privileges, and UnDefend (CVE-2026-45498), a zero-day the researcher said allows attackers with standard user permissions to block Microsoft Defender definition updates. Microsoft initially responded to the disclosures with what a report characterized as "thinly veiled threats of legal action," followed by a tweet saying the company "will work with law enforcement as appropriate" when "an individual breaks the law and engages in malicious activity causing real harm to our customers."
What this means for technologists, enterprises, and policymakers
- Technologists and security teams: The CCB's public call to "Patch as quickly as possible" targets administrators of domain controllers. Given Microsoft's description that exploit requires a specially crafted network request to an active domain controller, teams managing Windows domain environments are the immediate focus for remediation and validation.
- Enterprises and procurement leaders: CVE-2026-41089 affects all supported Windows Server releases, including Windows Server 2025, underscoring that patch programs must include the most recent server releases. The combination of a high CVSS score (9.8) and a sovereign cybersecurity authority reporting active exploitation elevates the operational priority for applying Microsoft's May 2026 fixes.
- Policymakers and regulators: National authorities like the CCB have already moved to public advisories. Regulators tracking systemic cyber risk will have to weigh the public alert against the fact that Microsoft had not, at the time of reporting, confirmed active exploitation or updated its advisory.
Two facts sit uncomfortably together: a high-severity remote code execution flaw patched in May, and a national cybersecurity agency saying the vulnerability is already exploited in the wild. Microsoft identified the flaw via its WARP team and released a patch; Belgium's CCB has urged immediate action but provided no additional attack telemetry publicly, and Microsoft had not confirmed the exploitation details when contacted. For defenders, the clear next move the record prescribes is already written by those same facts: prioritize patching of domain controllers and validate that updates are applied to Windows Server instances, including Windows Server 2025.




