Summary
- Belgium’s Centre for Cybersecurity says CVE-2026-41089, a critical Windows Netlogon flaw, is now actively exploited.
- The vulnerability can allow remote code execution against Windows Server domain controllers without prior privileges or user interaction.
- Domain-controller compromise can undermine authentication, incident response, recovery, and trust across the wider enterprise estate.
Belgium’s Centre for Cybersecurity has warned that a critical Windows Netlogon vulnerability affecting domain controllers is now being actively exploited, moving a May Patch Tuesday issue into live identity-infrastructure risk.
The warning concerns CVE-2026-41089, a remote code execution vulnerability in Windows Netlogon. The Belgian authority said the flaw can be exploited by sending a specially crafted network request to a Windows server acting as a domain controller. Successful exploitation could allow code execution on the affected system with SYSTEM privileges.
Because the advisory says exploitation does not require prior privileges or user interaction, the exposure is not limited to systems where an attacker has already gained an internal foothold. Patches are available for Windows Server versions from 2012 onwards, and the authority has urged organisations to apply updates quickly.
Domain controllers sit at the centre of enterprise authentication, access control, and administrative trust. A vulnerability in Netlogon touches the systems that determine whether users, services, and machines can prove who they are. In a compromised environment, that control layer can give an attacker reach across systems that appear separate on an asset list but depend on the same identity foundation.
Microsoft had already included the issue in its May 2026 security updates, which covered 118 vulnerabilities across the company’s products. Belgium’s update changes the operating posture by stating that exploitation is now occurring in the wild. Organisations that cannot confirm when vulnerable domain controllers were patched may need to treat the issue as a potential incident rather than a completed maintenance task.
Applying a patch closes the known vulnerability, but it does not prove that vulnerable systems were untouched before remediation. A proper response may require review of authentication events, service account activity, privileged group changes, lateral movement indicators, replication behaviour, and remote procedure call activity around affected systems.
That review matters because domain-controller compromise can distort the evidence needed to investigate an intrusion. Attackers with high privilege at that layer may be able to create persistence, alter logging, deploy additional tooling, or reach systems that depend on Active Directory trust. Once identity infrastructure is suspect, recovery becomes a question of whether the organisation can prove that administrative trust remains intact.
The Belgian advisory also shows how patch prioritisation changes when exploitation affects infrastructure that manages identity. Patch Tuesday releases often contain large numbers of vulnerabilities, but active exploitation against domain controllers should sit above ordinary endpoint or application defects. In regulated sectors, the record of what was fixed, when it was fixed, and what checks followed remediation will be as important as the patch status itself.
Organisations should identify every domain controller, verify patch levels, preserve relevant logs where retention is short, and review privileged access paths. Backup integrity, domain recovery procedures, tiered administration, and separation between administrative accounts all become part of the response when exploitation of identity infrastructure is confirmed.
Belgium’s warning leaves little room for treating the flaw as routine maintenance. Authentication infrastructure remains valuable because control of identity can become control of the wider estate. The immediate fix is technical, but confidence after remediation depends on evidence that trust has not already been lost.
