Alert Essentials
CVE-2026-41089 (CVSS 9.8) is a critical, unauthenticated remote code execution vulnerability in Windows Netlogon that is now actively exploited in the wild. Patched May 12 as part of Microsoft’s Patch Tuesday, active exploitation was confirmed by Belgium’s Center for Cybersecurity (CCB) on May 29, 17 days post-release. An attacker with network access to a domain controller can execute arbitrary code as SYSTEM with no credentials and no user interaction required. Apply the May 2026 cumulative update to all domain controllers immediately, within a single maintenance window. CISA KEV listing is pending.
Threat Description
CVE-2026-41089 is a stack-based buffer overflow (CWE-121) in the Windows Netlogon Remote Protocol (MS-NRPC). A single specially crafted network request to a domain controller triggers the overflow and yields SYSTEM-level code execution, no authentication, no user interaction, no prior access. Public proof-of-concept code is available, and AI-assisted adversaries compressed disclosure-to-exploitation to under three weeks, despite Microsoft’s initial ‘exploitation less likely’ rating.
All supported Windows Server versions (2019–2025) acting as domain controllers are affected. End-of-life versions (Server 2012, 2008 R2, and earlier) are also vulnerable but receive no official patch. 0patch micro-patches are available as interim coverage. Because domain controllers govern identity, access control, and authentication for every domain-joined system, successful exploitation enables full Active Directory forest takeover. A companion vulnerability, CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8), was patched in the same cycle and warrants parallel remediation.
Healthcare Impact
Successful exploitation enables credential harvesting from NTDS.dit and ransomware deployment across all domain-joined endpoints, the same scenario driving major healthcare operational disruptions in recent years. A confirmed DC compromise triggers HIPAA Security Rule breach notification obligations and OCR reporting requirements.
| CVE | Impacted Versions | Fix | CVSS | CWE | CISA KEV | Tenable Plugins |
|---|---|---|---|---|---|---|
| CVE-2026-41089 | Windows Server 2012–2025 (as DC) | May 2026 Cumulative Update | 9.8 | CWE-121 | Not Listed | 314355, 314354, 314352, 314348, 314347, 314346, 314340 |
Recommendations
Patching & Remediation
- Apply the May 2026 cumulative update to ALL domain controllers in a single maintenance window; partial patching leaves the forest indefensible.
- Source patches from Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
- EOL systems (Server 2008 R2, 2012, 2012 R2): apply 0patch micro-patches and plan decommission.
- Scan DC inventory with Tenable plugins 314355 / 314346 / 314352 (full list in table) pre- and post-patch to confirm coverage.
Detection / Threat Hunting
- Monitor all domain controllers for indicators of active exploitation:
- Netlogon service crashes or unexpected restarts (Windows Event ID 7034)
- Anomalous RPC/Netlogon traffic from non-DC source addresses in SIEM/NDR
- Authentication failures or domain trust errors following suspicious inbound DC traffic
- New Domain Admin account creation or unexpected privileged group membership changes (Event IDs 4720, 4728)
- dit file access or unexpected VSS activity on any DC (Event IDs 4663, 7036)
Hardening / Compensating Controls
- Restrict inbound Netlogon/RPC (TCP 135, dynamic high ports) to trusted DC sources only — DCs should not be reachable from general network segments.
- Review and restrict DC exposure from VPN-connected endpoints and remote access infrastructure.
- Enforce MFA on all Domain Admin and privileged accounts immediately
Admin / Executive Recommendations
- Escalate DC patching to P1/critical change priority. This is not a standard Patch Tuesday item.
- Document any unpatched DCs with an exception owner, compensating controls, and a firm remediation deadline; each represents an open HIPAA Security Rule gap
- Conduct a post-patch forced password reset for all Domain Admin accounts given confirmed in-the-wild exploitation
Reference Links
- Microsoft MSRC (CVE-2026-41089): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
- NVD — CVE-2026-41089: https://nvd.nist.gov/vuln/detail/CVE-2026-41089
- CCB Advisory (May 29, 2026): https://ccb.belgium.be/advisories/warning-microsoft-patch-tuesday-may-2026-patches-118-vulnerabilities-16-critical-102
- Tenable May 2026 Patch Tuesday: https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103
- Tenable Plugin Index: https://www.tenable.com/cve/CVE-2026-41089/plugins
- Orca Security Research: https://orca.security/resources/blog/netlogon-rce-cve-2026-41089
- Help Net Security: https://www.helpnetsecurity.com/2026/06/01/windows-netlogon-rce-exploited-cve-2026-41089
- Bleeping Computer: https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks
From Fortified Health Security
Fortified Health Security is committed to maturing your healthcare organization’s cybersecurity posture. We will monitor and update this bulletin as the situation progresses.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
Should you have any questions about this threat or any other issue you are facing, please reach out to us. We’re here to help you on your cybersecurity journey.
Email: connect@fortifiedhealthsecurity.com Phone: 615-600-4002