Decoding the world of cybersecurity

CERT-EU warns on exploited Netlogon flaw

CERT-EU says a critical Windows Netlogon vulnerability affecting domain controllers is being exploited, putting enterprise identity infrastructure under immediate pressure.

CERT-EU warns on exploited Netlogon flaw
Summary
  • CERT-EU has warned that CVE-2026-41089 affects Windows Server domain controllers and allows unauthenticated remote code execution.
  • Belgium’s Centre for Cybersecurity has reported active exploitation, according to the CERT-EU advisory.
  • Domain controllers sit at the centre of identity, privilege, and recovery, making the flaw a priority enterprise risk.

CERT-EU has warned that a critical Windows Netlogon vulnerability affecting domain controllers is being exploited, creating urgent exposure for organisations that still have unpatched Windows Server systems in identity-critical roles.

The advisory covers CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon with a CVSS score of 9.8. CERT-EU says an unauthenticated attacker could execute arbitrary code with SYSTEM privileges on targeted domain controllers by sending specially crafted packets over the network.

Microsoft addressed the vulnerability in its May 2026 security updates. CERT-EU published its warning on 10 June after Belgium’s Centre for Cybersecurity reported active exploitation by threat actors. The advisory recommends updating affected Windows Server assets as soon as possible.

Affected systems include Windows Server 2012 and 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 23H2, and Windows Server 2025 versions before the relevant fixed builds. That range is operationally important because domain-controller patching is often slower than endpoint patching, particularly in environments where identity infrastructure is treated as too sensitive to update quickly.

Netlogon is not an ordinary Windows component in enterprise operations. Domain controllers underpin authentication, group policy, Kerberos, administrative access, and recovery workflows. A remote code execution vulnerability in that layer can become a route to privilege, persistence, lateral movement, and broad compromise of the domain.

The advisory does not name victims, sectors, or the scale of exploitation. It does not say whether attacks are opportunistic scans, targeted intrusions, or follow-on use after initial access. The confirmed position is still enough for prioritisation: a European public-sector cyber authority has warned that an unauthenticated flaw in domain-controller infrastructure is being exploited.

Domain controllers are often protected by network placement and access assumptions, but large estates carry legacy routing, trust relationships, management paths, and partially segmented server networks. If an attacker can reach a vulnerable controller, the practical blast radius may extend well beyond the server itself.

The advisory also exposes a recurring governance gap. Boards and executives are often told that patch performance is improving because desktop and browser update rates are measurable. Identity infrastructure does not always fit that pattern. It requires change windows, rollback planning, dependency testing, and careful coordination. Complexity can become a reason for delay just when patching carries the highest consequence.

Regulated sectors also face harder incident-response choices when domain controllers are exposed. Recovery plans that assume trusted identity services may be weakened. Password resets, privileged-access rotation, log review, and backup restoration all depend on knowing whether the identity plane itself is trustworthy.

European organisations should treat the advisory as an identity-resilience issue rather than a routine Microsoft patch item. Immediate work includes confirming affected server versions, prioritising domain controllers, reviewing reachability, and preserving logs where compromise is suspected. Patching before collecting evidence may remove useful traces in some incidents, while leaving exposed controllers unpatched invites a worse outcome.

Identity infrastructure remains one of the least forgiving parts of the enterprise stack. When domain controllers are vulnerable, attackers do not need to compromise every system. They need access to the layer that decides who is allowed to use them.

×