CVE-2026-41089: Critical Zero-Click Windows Netlogon RCE Now Under Active Exploitation

Security researchers and threat intelligence platforms have characterized this vulnerability as wormable in practice because of its pre-authentication exploitability and the central role domain controllers play in Windows enterprise identity . Action1's assessment captures the risk succinctly: "A vulnerable domain controller can turn one crafted network request into a direct path toward enterprise compromise" . Jason Kikta, CTO at Automox, warned that "half-patched forests are not a defensible state for a pre-auth DC bug" and advised admins to restrict Netlogon traffic at the network layer in addition to patching .

Public proof-of-concept exploit code has appeared on GitHub, which historically accelerates mass exploitation within 24-72 hours . Organizations should assume that automated scanning and exploitation tooling is already circulating.

Affected Windows Server Versions

The vulnerability affects all supported Windows Server releases running the Netlogon service that were not patched after May 12, 2026 . Published product listings from multiple security vendors and the NVD identify the following vulnerable editions :

• Windows Server 2012 and 2012 R2 (all installations, including Server Core)
• Windows Server 2016
• Windows Server 2019 (including Server Core)
• Windows Server 2022 (21H2, 22H2, and 23H2 Editions, including Server Core)
• Windows Server 2025

The issue is present in the MS-NRPC handler and can be triggered via TCP port 445 or UDP port 389 (the CLDAP DC-locator port), meaning standard DC exposure paths are sufficient for an attacker to reach the vulnerable code path .

Patch Availability

Official Microsoft Security Updates

Microsoft released patches for CVE-2026-41089 on May 12, 2026 . Organizations should immediately apply the relevant update for their Windows Server build. Rapid7's vulnerability database lists the following KB identifiers for supported distributions :

• Windows Server 2012: KB5087470
• Windows Server 2012 R2: KB5087471
• Windows Server 2016 (1607): KB5087537
• Windows Server 2019 (1809): KB5087538
• Windows Server 2022 (21H2/22H2): KB5087545
• Windows Server 2022 (23H2): KB5087541
• Windows Server 2025 (24H2): KB5087539

Patch all domain controllers in a single, compressed maintenance window where operationally possible because the vulnerability is pre-authentication and actively exploited .

0patch Micropatch for Legacy Systems

For organizations running out-of-support Windows Server installations that can no longer receive official Microsoft security updates, Acros Security has released a free micropatch through its 0patch platform . This micropatch offers a minimal, surgical fix: it halves the maximum size of the attacker-controlled username string during relevant processing, effectively neutralizing the stack overflow without altering unrelated code paths .

0patch has confirmed micropatch availability for:

• Windows Server 2012 (no ESU)
• Windows Server 2012 R2 (no ESU)

The micropatch is deployed through the 0patch agent and applies in-memory, without requiring a system restart, which can be valuable for environments where domain controller reboots must be carefully scheduled. 0patch has long provided post-end-of-support micropatches for critical vulnerabilities on Windows Server 2008 R2, 2012, and 2012 R2 .

Urgent Mitigation and Response Guidelines

Patching removes the vulnerable code path, but it does not detect or remove an attacker who may have already exploited CVE-2026-41089 before the patch was applied. The CCB explicitly warns that patching protects against future exploitation but does not remediate historic compromise .

Primary Actions from the CCB

1. Patch immediately with highest priority — Apply official Microsoft May 2026 updates to all domain controllers. Do not wait for the next maintenance window: this is an active-exploitation scenario .
2. Increase monitoring and detection — Upscale monitoring for suspicious activity targeting domain controllers, especially unusual Netlogon traffic or atypical RPC and LDAP patterns .
3. Assume possible prior compromise — Any domain controller that was unpatched and network-exposed between May 12 and the application of the patch should be forensically reviewed for signs of intrusion .
4. Compress the patching window — Roll through all domain controllers in as few maintenance cycles as possible. A half-patched Active Directory forest is an exploitable forest .
5. Re-verify after patching — Re-run patch verification scans and exposure assessments to confirm no vulnerable DCs remain accessible .

Additional Expert Defensive Measures

• Segment domain controllers — Restrict network access to domain controllers so that only explicitly authorized management and infrastructure traffic reaches them. Block Netlogon-related ports (TCP 445, UDP 389) from untrusted and internet-facing segments at the network boundary and internal firewalls.
• Restrict Netlogon traffic at the network layer — Beyond host firewalls, enforce network-level access controls that limit which systems can even initiate connections to DCs over the vulnerable protocols.
• Harden privileged access paths — Review and minimize accounts with privileged access to domain controllers. Compromise of a DC's SYSTEM context often leads directly to credential theft and lateral movement .
• Monitor for post-exploitation activity — Look for abnormal service behavior, unexpected DC reboots, LSASS crashes, new admin account creation, and anomalous Kerberos ticket requests. These may indicate exploitation or follow-on attack stages .
• Adopt a full assume-breach posture — Until a thorough forensic review is complete, treat all previously unpatched domain controllers as potentially compromised.

Important Caveat: EPSS and Perception

While the EPSS (Exploit Prediction Scoring System) probability for CVE-2026-41089 was reported at 0.09% , EPSS is a probabilistic model trained on past data and does not account for active exploitation that has already been confirmed in real-world attacks. Once a national cybersecurity authority like the CCB issues an active-exploitation warning, organizations must prioritize based on confirmed real-world threat activity rather than statistical prediction alone.