Because CVE-2026-41089 is the kind of vulnerability that turns “later” into ransomware
Hello.
Every few years, Active Directory gets reminded that some components are simply too important to fail quietly.
Netlogon is one of them.
And CVE-2026-41089 is exactly the type of vulnerability security teams hate seeing:
remote code execution
no credentials required
no user interaction
SYSTEM privileges
active exploitation already confirmed
Researchers describe it as wormable.
That combination should already make most people uncomfortable.
Because when the words “unauthenticated RCE” and “domain controller” appear together, the conversation changes immediately.
Why this vulnerability is different
Many vulnerabilities are dangerous.
Very few vulnerabilities allow:
one network packet
→ remote code execution
→ SYSTEM privileges
→ domain compromise
This vulnerability affects Windows Netlogon, one of the core components responsible for domain authentication and trust operations.
An attacker does not need:
credentials
phishing
local access
privilege escalation
The exploit path is disturbingly short.
Malformed network traffic hits Netlogon.
Code executes.
SYSTEM privileges obtained.
Game changes.
Why Domain Controllers make everything worse
Remote SYSTEM on a workstation is bad.
Remote SYSTEM on a Domain Controller is a completely different category.
Because Domain Controllers hold:
Active Directory database
Kerberos infrastructure
authentication services
trust relationships
Group Policy control plane
From there, attackers can:
extract NTDS.dit
dump password hashes
create persistence accounts
disable security tooling
modify GPO
push ransomware everywhere
That is why researchers keep comparing this to Zerologon.
Not because the mechanics are identical.
Because the blast radius feels very familiar.
Why “patch later” is dangerous
Here is what happened:
Initial disclosure:
“less likely exploitation”
Two weeks later:
active exploitation confirmed
That escalation speed matters.
Attackers increasingly weaponise vulnerabilities faster than enterprise patch cycles can react.
If your process still looks like:
Patch Tuesday
testing window
approval process
maintenance window next month
You may already be behind.
Netlogon is more dangerous than people realise
Netlogon sits inside authentication flows.
Which means it is everywhere.
Typical communications include:
Domain Controllers ↔ clients
Domain Controllers ↔ servers
Domain Controllers ↔ Domain Controllers
And because RPC and Netlogon traffic are often broadly allowed internally, attackers love abusing them.
This is why segmentation matters.
A Domain Controller should not behave like:
“another Windows server”
Because it is not.
Supported servers need patching immediately
Microsoft released fixes for supported versions.
That includes:
Server 2012
Server 2016
Server 2019
Server 2022
Server 2025
The important part:
patch all Domain Controllers during the same maintenance window
Why?
Because mixed states create operational weirdness.
And authentication infrastructure hates operational weirdness.
The uncomfortable conversation: out-of-support servers
This is where things get ugly.
According to researchers, similar vulnerable Netlogon code exists in:
Server 2008
Server 2008 R2
Server 2003
Server 2000
These systems may never receive fixes.
Meaning:
If vulnerable + exposed
then vulnerable forever
Which leaves only three realistic options:
virtual patching
segmentation
decommissioning
There is no magical fourth option.
Virtual patching suddenly becomes important again
Most people prefer:
“just install the patch”
Reasonable.
But some environments cannot.
This is where virtual patching becomes useful.
Network-layer filtering can:
detect exploit traffic
block malformed requests
buy remediation time
This is not equivalent to patching.
But it is dramatically better than:
“we will upgrade next quarter”
Azure and hybrid identity make this more dangerous
Years ago:
compromise DC
compromise domain
Today:
compromise DC
potentially impact:
hybrid identity
Entra sync
privileged sessions
cloud authentication workflows
Conditional Access dependencies
Hybrid identity removed many boundaries.
Which means:
on-prem compromise increasingly affects cloud infrastructure too.
What organisations should do immediately
Patch
Every supported Domain Controller.
Not some.
All.
Segment
Restrict:
RPC exposure
Netlogon traffic
lateral movement paths
Domain Controllers belong in dedicated segments.
Hunt
Look for:
Netlogon crashes
service restarts
authentication anomalies
unexpected Netlogon traffic
unusual Domain Controller behaviour
Because patching prevents future compromise.
It does not undo previous compromise.
Review architecture
Ask difficult questions:
Why can everything talk to Domain Controllers?
Why are old servers still present?
Why are DCs exposed more than necessary?
This vulnerability may expose architectural debt more than technical debt.
Why this is really scary
The terrifying part is not:
CVSS 9.8
The terrifying part is:
Domain Controllers remain some of the few systems where:
one mistake
can compromise everything
Modern security stacks can survive:
endpoint compromise
user compromise
single-server compromise
Domain compromise?
Much harder.
Final thought
This vulnerability is a reminder of something uncomfortable.
Many organisations spent years modernising:
cloud workloads
containers
Zero Trust
AI security
Meanwhile:
core authentication infrastructure remained largely unchanged.
Netlogon still matters.
Domain Controllers still matter.
And vulnerabilities affecting them still create the largest blast radius in enterprise environments.
So if your patching strategy for Domain Controllers is:
“we will get to it”
That timeline probably needs changing.
TL;DR
CVE-2026-41089 is:
unauthenticated
remote code execution
SYSTEM privileges
actively exploited
potentially wormable
Patch supported servers immediately.
Segment Domain Controllers aggressively.
Treat out-of-support servers as exploitable.
And remember:
A Domain Controller vulnerability is rarely “just another Windows vulnerability.”