Cybersecurity June 3, 2026 · 4 min read

Windows Netlogon Has a CVSS 9.8 Remote Code Execution Bug and Belgium Says It’s Already Being Exploited — Microsoft Says It Sees Nothing, Your Domain Controller Has No Comment

🤚 The Open-Palm Incident Report

A critical vulnerability in Windows Netlogon — the service that handles authentication for every Windows domain controller on Earth — is now being actively exploited in the wild, and the patch has been available since May 2026. The bug, tracked as CVE-2026-41089, carries a CVSS score of 9.8 out of 10, which in vulnerability scoring is the equivalent of a doctor saying “we need to talk” while closing the door.

The flaw is a stack-based buffer overflow in the Netlogon RPC interface. An attacker can send a specially crafted network request to any Windows server acting as a domain controller and achieve remote code execution — no authentication required, no prior access needed, no user interaction necessary. Just a network request and a dream.

Key facts:

  • All currently supported Windows Server versions are affected, including Windows Server 2025
  • Discovered by Microsoft’s own WARP (Windows Attack Research & Protection) offensive security team
  • Patched in the May 2026 Patch Tuesday update
  • Belgium’s Centre for Cybersecurity (CCB) confirmed active exploitation as of June 1, 2026
  • Microsoft, in a move that inspires tremendous confidence, says it has “no evidence” supporting the active exploitation claims

Belgium says it’s being exploited. Microsoft says it isn’t. Your domain controller has no comment because it’s currently busy being compromised.

👐 The Two-Handed Authentication Crisis

Let’s talk about what Netlogon actually is, because the name alone should make you nervous. Netlogon is the service responsible for authenticating users, computers, and services across Windows Active Directory domains. It is, without exaggeration, the front door, back door, and load-bearing wall of enterprise Windows authentication. When Netlogon is compromised, the attacker doesn’t get access to a system — they get access to the system that decides who gets access to every other system.

If this sounds familiar, it should. Netlogon’s last starring role was CVE-2020-1472, better known as Zerologon, which also scored a 9.8 and also allowed unauthenticated attackers to take over domain controllers. That vulnerability became one of the most exploited bugs of the decade. We appear to be running the sequel.

The fact that Microsoft’s own internal red team — WARP — found this bug is both reassuring and deeply unsettling. Reassuring because it means Microsoft is actively looking. Unsettling because it means this class of vulnerability has been sitting in authentication code that has been running enterprise networks since the era of Internet Explorer being a competitive browser.

🌿 The Gentle Awakening

There is a recurring pattern in enterprise security that goes something like this: a critical patch is released, a stern advisory is published, a CVSS score makes the rounds on LinkedIn, and then approximately 40% of affected organizations take longer to patch than it takes threat actors to weaponize the exploit. Every time. Without fail. Like clockwork, except the clock is on fire.

The Belgium-versus-Microsoft disagreement on whether active exploitation is occurring is, in its own way, a perfect microcosm of the cybersecurity information ecosystem. One national CERT says “our trusted partners confirm exploitation.” The vendor says “we see no evidence.” Both can technically be correct — Microsoft may not have telemetry on Belgian networks, and Belgium may be seeing things Microsoft hasn’t confirmed yet. But from the perspective of a sysadmin reading both statements at 7 AM on a Tuesday, the message is clear: patch now and sort out who was right later.

👑 The Gold-Leaf Domain Takeover

Here’s the arithmetic that should keep CISOs awake tonight: CVE-2026-41089 requires no authentication, no user interaction, and targets the single most privileged service in Windows enterprise infrastructure. The patch has been out for a month. The exploit is live. And Active Directory domain controllers are, by design, reachable on the network — because that’s literally their job.

The organizations most at risk are, as always, the ones least equipped to respond: mid-sized companies with one overworked IT person, municipalities running Windows Server 2019 because the upgrade budget was redirected to “digital transformation initiatives” (read: a chatbot for the parking department), and healthcare systems where patching requires a change control process that was last updated when the server was deployed.

If your domain controllers are unpatched, stop reading this article and go patch them. If your domain controllers are patched, go verify they’re patched, because “I’m pretty sure we did that” is not a patch management strategy. And if you don’t know what a domain controller is, congratulations — you either don’t use Windows, or you have a problem you haven’t discovered yet.

“The Netlogon service asked for no authentication, received no authentication, and granted full domain access — which, if you think about it, is the most honest authentication protocol ever designed.” — The Slap of Wisdom Incident Response Team, currently verifying that its own domain controllers are patched, because trust but verify is just ‘verify’ with a marketing budget