Code execution possible: critical gap in Windows Server is actively exploited

Attackers use a critical vulnerability in the Windows Server Netlogon code to break into networks. This is reported by the Belgian cybersecurity authority CCB. A manipulated package to the domain controller is apparently sufficient for the attack. System administrators should check as soon as possible whether the patches provided by Microsoft in May are installed on their systems.

Video by heise

The vulnerability with the CVE identifier CVE-2026-41089 is a buffer overflow on the stack, which can be utilized with a prepared package to the domain controller. According to an alleged proof-of-concept exploit (PoC), the overflow is in the username parameter of an LDAP package sent via UDP (CLDAP Locator Ping). Although the PoC only causes a crash of the LSASS service, the inclusion of malicious code of the Microsoft estimate is also possible. This also explains the high CVSS score of 9.8 (classification critical).

Find quick patches and intruders

The vulnerability concerns all currently maintained versions of Windows Server including the latest edition, Windows Server 2025. Microsoft already has on 12. Mai Patches provided – who has not yet enrolled it should catch up. And check whether an unwanted visit was already on the unpatched server. According to the PoC author, in the system logs they can search for CLDAP requests with an unusually long “user” attribute or for LSASS crashes with Event-ID 1000 (netlogon.dll).

Vulnerabilities in Microsoft products and their treatment by the Redmond software giant are currently the subject of heated debates in the IT security scene. They are mainly inflamed by Microsoft’s handling of the anonymous security researcher, who appears as “Chaotic Eclipse”.

(Dr. Christopher Kunz)