Belgium Warns of Active Exploitation of Critical Windows Netlogon Flaw

The Centre for Cybersecurity Belgium warned that threat actors are now exploiting a critical Windows Netlogon vulnerability patched by Microsoft during the May 2026 Patch Tuesday.

Belgium's cybersecurity authority issues urgent alert. The CCB warned on Friday that CVE-2026-41089 in Windows Netlogon is now actively exploited in the wild and could lead to RCE.

It assigned the flaw a CVSS 3.1 score of 9.8 and urged admins to patch as quickly as possible.

The agency did not provide further details on the attacks.

Netlogon vulnerability allows unauthenticated remote code execution. Netlogon is a remote procedure call interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks.

Microsoft described it as a stack-based buffer overflow. An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller.

If successful this could cause the Netlogon service to improperly handle the request potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access.

Vulnerability affects all supported Windows Server versions. CVE-2026-41089 impacts all currently supported Windows Server versions including the latest release Windows Server 2025.

Microsoft patched the flaw after internal discovery. The vulnerability was discovered by Windows Attack Research & Protection an internal offensive cybersecurity and engineering research team at Microsoft.

The company published a security advisory on May 12 and addressed the issue during the May 2026 Patch Tuesday.

Both agencies withhold additional attack information. The CCB did not respond to a request for more information. Microsoft has yet to update its advisory and a company spokesperson did not reply to a request for confirmation that CVE-2026-41089 is now actively exploited.