Code execution possible: critical vulnerability in Windows Server exploited

Attackers are exploiting a critical security vulnerability in the Netlogon code of Windows Server to break into networks. The Belgian cybersecurity authority CCB reports. Apparently, a manipulated packet to the domain controller is sufficient for the attack. System administrators should check as quickly as possible whether the patches provided by Microsoft in May are installed on their systems.

The security vulnerability with the CVE identifier CVE-2026-41089 is a buffer overflow on the stack that can be exploited with a prepared packet to the domain controller. According to an alleged proof-of-concept exploit (PoC) circulating on GitHub, the overflow is in the username parameter of an LDAP packet (CLDAP Locator Ping) sent via UDP. Although the PoC only causes the LSASS service to crash, code injection is also possible according to Microsoft's assessment. This also explains the high CVSS score of 9.8 (rating critical).

Patch quickly and search for intruders

The security vulnerability affects all currently maintained versions of Windows Server, including the latest edition, Windows Server 2025. Microsoft already provided patches on May 12 -- those who haven't installed them yet should do so immediately. And check if unwanted visitors were already present on the unpatched server. According to the PoC author, they can search system logs for CLDAP requests with an unusually long "User" attribute or for LSASS crashes with Event ID 1000 (netlogon.dll).