Vulnerability Analysis | Mitigation Guide | Security Testing

CVE-2026-41089: Critical Windows Netlogon RCE — Unauthenticated Domain Controller Takeover

Executive Summary

CVE-2026-41089 is a critical stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows an unauthenticated remote attacker to execute arbitrary code on any domain controller reachable over the network — no credentials, no user interaction required. Patched by Microsoft in the May 2026 Patch Tuesday release, proof-of-concept code is already publicly available and the flaw runs in under three seconds in lab conditions. Any organization running unpatched Windows domain controllers is at immediate risk of full Active Directory compromise.

1. What Is This Vulnerability?

The Windows Netlogon service (lsass.exe via netlogon.dll) handles authentication and replication for Active Directory domain controllers. CVE-2026-41089 exists because the service processes a caller-supplied length field during the authentication handshake without validating it against the actual buffer size. An attacker who sends a specially crafted Netlogon RPC message can supply an integer so large it causes a heap-to-stack memory copy to overflow, corrupting the call stack and redirecting execution flow to attacker-controlled shellcode.

The root weakness is classified as CWE-121 (Stack-Based Buffer Overflow) — a classic class of memory safety bug that Microsoft's own Secure Development Lifecycle has repeatedly flagged as high-priority.

Attack Vector

  1. Attacker connects to TCP port 135 (RPC Endpoint Mapper) or port 445 (SMB named pipe \NETLOGON) on a domain controller.
  2. Attacker initiates a Netlogon authentication handshake (NETR_ServerAuthenticate3 or similar RPC call).
  3. A maliciously large NegotiateFlags or authentication credential length value is embedded in the handshake packet.
  4. The Netlogon service copies the attacker-controlled data into a fixed-size stack buffer without bounds checking.
  5. Stack memory beyond the buffer is overwritten; the saved return address is replaced with attacker shellcode pointer.
  6. Code executes in the security context of the Netlogon service — SYSTEM on the domain controller.
# Simplified conceptual flow (pseudocode)
char auth_buffer[512];           // Fixed stack buffer
int claimed_len = attacker_value; // e.g., 0xFFFFFFFF
memcpy(auth_buffer, attacker_data, claimed_len); // OVERFLOW — no bounds check

Real-World Impact

Proof-of-concept exploit code was published on GitHub within 48 hours of Microsoft's May 12 disclosure. Researchers at Sherlock Forensics confirmed reliable exploitation against default Windows Server 2022 configurations in three seconds on a LAN segment. A successful exploit grants SYSTEM on the domain controller, which is effectively equivalent to compromising the entire Active Directory forest — every user account, password hash, group policy, and trust relationship is within reach.

2. Who Is Affected?

Affected operating systems (domain controller role):

Operating System Affected
Windows Server 2025 ✅ Yes
Windows Server 2022 ✅ Yes
Windows Server 2019 ✅ Yes
Windows Server 2016 ✅ Yes
Windows Server 2012 R2 ✅ Yes (ESU required)
Windows Server 2012 ✅ Yes (ESU required)
Windows 10/11 (workstations) ❌ Not affected (Netlogon DC role)

Scope: The vulnerability only manifests when a system is configured as a domain controller. Member servers and workstations are not directly vulnerable, but they are profoundly affected if their domain controllers are compromised. Organizations running Windows Server Core (no GUI) are equally at risk — Netlogon runs identically.

Attack surface: Any network path to TCP 135 or 445 on a domain controller. Internet-exposed domain controllers represent the highest risk, but attackers with initial foothold inside a corporate LAN (via phishing, VPN credential theft, etc.) can weaponize this to instantly escalate to domain admin.

3. How to Detect It (Testing)

Manual Testing Steps

  1. Inventory domain controllers: Run netdom query dc /domain:<yourdomain> or query Active Directory to enumerate all DCs.
  2. Verify patch level: On each DC, open PowerShell and run: 
    Get-HotFix -Id KB5061768  # May 2026 cumulative update for Server 2022
# Or check build version:
[System.Environment]::OSVersion.Version
# Patched = build 20348.3693 or later for Server 2022
  3. Confirm RPC exposure: From an external/segmented host, test reachability: 
    nmap -p 135,445 <DC_IP> --open
    If ports 135 or 445 are reachable from untrusted segments, those DCs are exposed to exploitation.
  4. Review Windows Event Log: On each DC, check for Event ID 5805 (Netlogon authentication failure with anomalous parameters) or repeated failures from single source IPs.

Automated Scanning

Nessus / Tenable:

  • Plugin ID: 314355 ("Windows DNS/Netlogon May 2026 Missing Patch")
  • Run an authenticated scan against all domain controllers; flag any that do not report the May 2026 cumulative update.

Microsoft Baseline Security Analyzer / Windows Update Compliance (Intune):

  • Use the Intune compliance policy Require Windows Security Updates and target your DC OUs.
  • Filter the Update Compliance dashboard for KB5061768 (Server 2022), KB5061774 (Server 2019), KB5061789 (Server 2016).

Qualys/Rapid7 InsightVM:

  • Search QID/CVE filter for CVE-2026-41089; scan result will flag unpatched domain controllers.

OpenVAS / Greenbone:

# Run authenticated scan, then query results:
gvm-cli --gmp-username admin --gmp-password pass socket \
  --xml "<get_results filter=\"CVE-2026-41089\"/>"

Suricata / Zeek (IDS network detection):

# Suricata rule — anomalous Netlogon RPC packet size
alert tcp any any -> $DC_NET 135 (msg:"CVE-2026-41089 Suspected Netlogon Overflow";
  flow:to_server,established;
  content:"|05 00 00 03|"; # DCE/RPC request
  dsize:>4096;
  threshold:type limit, track by_src, count 3, seconds 10;
  classtype:attempted-admin; sid:9002608941089; rev:1;)

Code Review Checklist

  • Confirm Netlogon service binary version on all DCs: Get-Item C:\Windows\System32\netlogon.dll | Select-Object VersionInfo
  • Verify no custom RPC filters block the May 2026 cumulative update rollout
  • Check that Windows Update is not paused or deferred on DC group policy
  • Confirm no third-party AV or EDR tools exempt lsass.exe from monitoring (needed for behavioral detection)
  • Audit whether DC management ports (135, 445) are firewalled from workstation segments

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Apply the May 2026 Patch Tuesday cumulative update immediately — this is the only complete fix.

    • Windows Server 2025: KB5061768
    • Windows Server 2022: KB5061768
    • Windows Server 2019: KB5061774
    • Windows Server 2016: KB5061786
    • Windows Server 2012 R2: KB5061789 (requires Extended Security Update subscription)

  2. Prioritize domain controllers first. Microsoft explicitly advises patching DCs before member servers or workstations, given that DC compromise cascades to every system in the domain.

  3. Download via Windows Update, WSUS, or direct from Microsoft Update Catalog:

    # Force Windows Update check and install from PowerShell (requires admin):
Install-Module PSWindowsUpdate -Force
Import-Module PSWindowsUpdate
Get-WindowsUpdate -KBArticleID "KB5061768" -Install -AcceptAll -AutoReboot

  4. If immediate patching is not possible, apply the temporary workaround: Microsoft released a one-click mitigation tool that adds an RPC interface restriction to disable the vulnerable Netlogon code path without fully removing the Netlogon service. Note: this may impact non-DC systems that rely on specific MS-NRPC calls, so test in staging first.

    # Download and apply Microsoft's temporary mitigation script
# (Available from Microsoft Security Response Center guidance page)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
  -Name "RequireSignOrSeal" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
  -Name "SealSecureChannel" -Value 1

  5. Isolate exposed DCs: Block inbound TCP 135 and 445 from all untrusted network segments (internet, guest Wi-Fi, contractor VLANs) using Windows Firewall with Advanced Security or perimeter firewall rules.

  6. Reboot domain controllers after applying the patch to ensure the new netlogon.dll is loaded.

Configuration Hardening

# Enforce Netlogon Secure Channel Signing & Sealing (Defense-in-Depth)
# These settings don't patch the CVE but reduce exposure to related attacks
$NetlogonRegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
Set-ItemProperty -Path $NetlogonRegPath -Name "RequireSignOrSeal" -Value 1
Set-ItemProperty -Path $NetlogonRegPath -Name "SealSecureChannel" -Value 1
Set-ItemProperty -Path $NetlogonRegPath -Name "SignSecureChannel" -Value 1
Set-ItemProperty -Path $NetlogonRegPath -Name "RequireStrongKey" -Value 1

# Restrict RPC access: block anonymous RPC endpoint mapper queries
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" `
  -Name "RestrictRemoteClients" -Value 1

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A: Confirm domain authentication continues to work after patching — have users on member servers authenticate, check Group Policy applies, and verify domain trust replication completes without error.
  • Scenario B: Re-run the Nessus/Tenable scan targeting CVE-2026-41089; patched DCs must return a clean result.
  • Scenario C: Attempt Netlogon connectivity from a network segment that should now be firewalled from DC ports 135/445 — connection must time out.

Security Test Cases

Test Case 1: Patch Verification

  • Precondition: Apply KB5061768 (or version-appropriate patch) and reboot DC.
  • Steps: Run Get-HotFix -Id KB5061768 — verify output shows installed date.
  • Expected Result: Hotfix present; netlogon.dll file version = 10.0.20348.3693 or later.

Test Case 2: Vulnerability No Longer Exploitable

  • Precondition: Patched DC, PoC tool available in isolated test environment.
  • Steps: Execute CVE-2026-41089 PoC against the patched DC from a test attacker host.
  • Expected Result: Connection rejected or returns STATUS_INVALID_PARAMETER; no code execution; no crash of lsass.exe.

Test Case 3: Firewall Segmentation

  • Precondition: Perimeter/VLAN firewall rules blocking TCP 135/445 to DC from untrusted segments.
  • Steps: Attempt nmap -p 135,445 <DC_IP> from a workstation VLAN.
  • Expected Result: Ports reported as filtered; no response.

Automated Tests

# PowerShell Pester test — validates patch presence on all DCs in domain
Describe "CVE-2026-41089 Patch Validation" {
    $DomainControllers = (Get-ADDomainController -Filter *).Name

    foreach ($DC in $DomainControllers) {
        Context "Domain Controller: $DC" {
            It "Has May 2026 cumulative update installed" {
                $hotfix = Invoke-Command -ComputerName $DC -ScriptBlock {
                    Get-HotFix | Where-Object { $_.HotFixID -in @("KB5061768","KB5061774","KB5061786","KB5061789") }
                }
                $hotfix | Should -Not -BeNullOrEmpty
            }

            It "Netlogon.dll is patched version" {
                $dll = Invoke-Command -ComputerName $DC -ScriptBlock {
                    (Get-Item "C:\Windows\System32\netlogon.dll").VersionInfo.FileVersion
                }
                [version]$dll | Should -BeGreaterThan ([version]"10.0.20348.3692")
            }
        }
    }
}

6. Prevention & Hardening

Best Practices

  • Apply security updates within 24 hours for critical vulnerabilities affecting domain controllers. The Active Directory attack surface means a single DC compromise = full domain compromise. Establish an emergency patching SLA for CVSS 9.0+.
  • Never expose domain controllers to untrusted networks. DCs should be isolated on dedicated management VLANs; inbound connections from internet, DMZ, or guest networks must be blocked at the firewall and Windows Firewall level.
  • Enforce Privileged Access Workstations (PAWs) for all DC management. No browsing, email, or general-purpose use on systems used to manage domain controllers.
  • Implement credential tiering (Microsoft Tier Model or Enterprise Access Model). Domain Admins should only log in to Tier 0 systems; lateral movement from compromised workstations to DCs should be architecturally prevented.
  • Regularly test your patch posture. Run vulnerability scans against DCs weekly; integrate patch compliance reporting into your security dashboard.

Monitoring & Detection

# Monitor for anomalous Netlogon activity via Windows Event Log
# Event 5805 = Netlogon session setup failure with unusual parameters
Get-WinEvent -ComputerName <DC_Name> -FilterHashtable @{
    LogName   = 'System'
    Id        = 5805
    StartTime = (Get-Date).AddHours(-24)
} | Select-Object TimeCreated, Message | Format-List

SIEM detection rules to create:

  • Alert on >10 Netlogon authentication failures from a single source IP within 60 seconds (potential exploit brute-force/scanning).
  • Alert on lsass.exe spawning unexpected child processes (indicator of successful code execution post-exploitation).
  • Alert on new SYSTEM-level service or scheduled task creation on a DC outside of change windows.
  • Alert on Active Directory replication errors immediately following unusual network traffic to a DC.

Threat hunting queries (Microsoft Sentinel KQL):

// Detect potential CVE-2026-41089 exploitation — lsass spawning unusual children
SecurityEvent
| where EventID == 4688
| where ParentProcessName has "lsass.exe"
| where NewProcessName !in ("C:\\Windows\\System32\\werfault.exe")
| project TimeGenerated, Computer, ParentProcessName, NewProcessName, CommandLine
| where Computer in (toscalar(
    SecurityEvent
    | where EventID == 4742
    | where TargetUserName endswith "$"
    | summarize make_set(Computer)))

References

Latest from the blog

See all →