Security Advisory 2026-007

What Happened

A critical security flaw has been discovered in Windows Server that affects domain controllers, which are the central servers managing network security. This flaw allows attackers to take complete control of the server without needing a password, simply by sending malicious network traffic. Because domain controllers are highly privileged in a corporate network, this is a severe issue that is already being used by hackers in real-world attacks. Organizations should immediately apply the latest security updates provided by Microsoft to protect their networks.

Key Takeaways

• A critical stack-based buffer overflow vulnerability (CVE-2026-41089) exists in Windows Netlogon.
• The flaw allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges on targeted domain controllers.
• The vulnerability is currently being actively exploited in the wild.
• Immediate patching of affected Windows Server versions is strongly recommended.

Affected Systems

• Windows Server 2012 / 2012 R2
• Windows Server 2016 (prior to 10.0.14393.9140)
• Windows Server 2019 (prior to 10.0.17763.8755)
• Windows Server 2022 (prior to 10.0.20348.5074)
• Windows Server 2022 23H2 (prior to 10.0.25398.2330)
• Windows Server 2025 (prior to 10.0.26100.32772)
• Windows Domain Controllers

Vulnerabilities (CVEs)

• CVE-2026-41089

Attack Chain

An unauthenticated attacker targets a Windows Server acting as a domain controller. The attacker sends specially crafted packets over the network to the Windows Netlogon service. These packets trigger a stack-based buffer overflow (CVE-2026-41089), resulting in the execution of arbitrary code with SYSTEM privileges.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-exploitation activity such as anomalous child processes spawning from Netlogon-related processes, but might not catch the initial network packet exploitation without specific network signatures. Network Visibility: High — The exploit relies on specially crafted network packets sent to the Netlogon service, which can be detected by IDS/IPS if signatures for the buffer overflow are available. Detection Difficulty: Moderate — Detecting the exact exploit requires deep packet inspection of Netlogon RPC traffic. However, post-exploitation behavior (SYSTEM level execution from Netlogon) is easier to detect.

Required Log Sources

• Windows Event Logs (System, Security)
• Network Traffic Logs
• EDR Process Telemetry

Hunting Hypotheses

Control Gaps

• Lack of network segmentation isolating Domain Controllers from untrusted network segments
• Missing IDS/IPS signatures for CVE-2026-41089

Key Behavioral Indicators

• Unexpected process execution with SYSTEM privileges originating from Netlogon-related services
• Crash events in the Netlogon service (Event ID 1000 or 7034) indicating failed exploit attempts

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Apply the Microsoft security updates for CVE-2026-41089 to all affected Windows Server Domain Controllers immediately.

Infrastructure Hardening

• Evaluate whether network segmentation can be improved to restrict access to Domain Controller RPC/Netlogon ports from untrusted networks.
• Consider implementing virtual patching or IDS/IPS rules to block known exploit patterns for CVE-2026-41089 if patching is delayed.

User Protection

• N/A

Security Awareness

• N/A

MITRE ATT&CK Mapping

• T1210 - Exploitation of Remote Services
• T1068 - Exploitation for Privilege Escalation