Hackers are now actively exploiting a critical flaw in Windows Netlogon — the service that handles authentication for computers and servers on a company network. The vulnerability, tracked as CVE-2026-41089, is a stack-based buffer overflow that allows an attacker with no privileges and no password to remotely run malicious code on a domain controller, the most sensitive server in most corporate environments. Microsoft patched this flaw in a recent Patch Tuesday update, but attackers have now weaponized it against unpatched systems.
In plain terms: if a company’s Windows Server hasn’t been updated, an attacker anywhere on the internet can exploit this bug to gain full control of the server that manages every user login, password, and access permission on the network. For businesses and organizations still running unpatched servers, the risk is severe — a compromised domain controller effectively hands attackers the keys to the entire network.
How to check if you’re affected
Affected versions include all currently supported Windows Server versions including Windows Server 2019, 2022, and 2025. IT administrators should check Windows Update or Windows Server Update Services (WSUS) for the latest cumulative update. On the server, open Settings → Windows Update or run winver to confirm the current build number, then verify it matches Microsoft’s June 2026 patched build. Organizations using Microsoft Defender for Endpoint can also check for CVE-2026-41089 alerts in their security dashboard.