One network query can open the way to where the error costs more than a normal failure.
The attackers began to actively use the critical vulnerability in one of the key components of Windows Server just a few weeks after the release of the fix. The problem affects the Netlogon service, which is responsible for verifying the authenticity of users and services in corporate networks. Given the widespread spread of Netlogon, the new attack vector could pose a serious threat to organizations around the world.
On the beginning of the operation of the vulnerability CVE-2026-41089 (9.8 on the CVSS v3.1 scale, AV:N/AC:L/C/C/H/A:H/A:H/A:H/A:H/A:H/H/H) warned the Cyber Security Centre of Belgium. The agency reported that the error is already being used in real attacks and urged administrators to install May security updates as soon as possible.
The problem is associated with the overflow of the buffer in the service of Windows Netlogon. According to Microsoft, the error allows you to remotely execute arbitrary code on the domain controller without prior authentication and any privileges.
For a successful attack, it is enough to send a specially formed network request to the Windows server that acts as a domain controller. If the processing of the request is incorrect, the attacker gets the opportunity to run its own code on the attacked system. The vulnerability affects all supported versions of Windows Server, including Windows Server 2025.
The Belgian regulator did not disclose the details of the current attacks and did not specify which groups are behind the operation of the vulnerability. Microsoft has not yet updated the advisory message and has not publicly confirmed the information about the mass use of the gap.
The attackers began to actively use the critical vulnerability in one of the key components of Windows Server just a few weeks after the release of the fix. The problem affects the Netlogon service, which is responsible for verifying the authenticity of users and services in corporate networks. Given the widespread spread of Netlogon, the new attack vector could pose a serious threat to organizations around the world.
On the beginning of the operation of the vulnerability CVE-2026-41089 (9.8 on the CVSS v3.1 scale, AV:N/AC:L/C/C/H/A:H/A:H/A:H/A:H/A:H/H/H) warned the Cyber Security Centre of Belgium. The agency reported that the error is already being used in real attacks and urged administrators to install May security updates as soon as possible.
The problem is associated with the overflow of the buffer in the service of Windows Netlogon. According to Microsoft, the error allows you to remotely execute arbitrary code on the domain controller without prior authentication and any privileges.
For a successful attack, it is enough to send a specially formed network request to the Windows server that acts as a domain controller. If the processing of the request is incorrect, the attacker gets the opportunity to run its own code on the attacked system. The vulnerability affects all supported versions of Windows Server, including Windows Server 2025.
The Belgian regulator did not disclose the details of the current attacks and did not specify which groups are behind the operation of the vulnerability. Microsoft has not yet updated the advisory message and has not publicly confirmed the information about the mass use of the gap.
