On 12 May 2026, Microsoft patched CVE-2026-41089 as part of its monthly Patch Tuesday cycle alongside 136 other vulnerabilities. By 29 May, the Belgian Centre for Cybersecurity updated its advisory confirming active exploitation in the wild. By early June, public proof-of-concept exploit code is available and multiple threat actor groups are actively targeting unpatched domain controllers. The vulnerability is a CVSS 9.8 stack-based buffer overflow in the Windows Netlogon service — unauthenticated, network-exploitable, and domain-ending on successful compromise. For Swiss organisations running on-premises Active Directory, which represents the overwhelming majority of mid-to-large enterprises and public sector bodies, this requires same-week response, not standard patch scheduling.
Technical Anatomy: Why Netlogon RCE Is Domain-Ending
CVE-2026-41089 is a stack-based buffer overflow in the Netlogon Remote Protocol (MS-NRPC) service, which runs on every Windows Server functioning as a domain controller. The vulnerability is triggered by a crafted Netlogon RPC request sent over the network — no authentication required, no user interaction required. Any host with network access to a domain controller on port 135 or the dynamic RPC port range is a potential attack source.
Successful exploitation grants the attacker SYSTEM-level code execution directly on the domain controller. The consequences extend far beyond the compromised server. Active Directory is the authentication and authorisation backbone of every Windows-integrated environment: a compromised domain controller means full control over the AD domain, the ability to create and modify privileged accounts, the ability to forge Kerberos tickets, and unrestricted lateral movement to every system that authenticates against that controller — which is effectively every system in the organisation.
The comparison to Zerologon (CVE-2020-1472) is apt and intentional. Both vulnerabilities target the Netlogon protocol, both are unauthenticated, and both deliver domain-wide compromise on successful exploitation. The difference in 2026 is exploitation speed: the public PoC appeared faster than Zerologon's did, and threat actors are operationalising it more rapidly than in 2020 when most organisations had more time between disclosure and active exploitation.
The Partial Patching Trap: An Unusual Operational Constraint
CVE-2026-41089 introduces a patching constraint that is rare but critical for Swiss IT teams to communicate to change management boards and operations leadership: partial patching creates a state that is operationally worse than no patching at all.
In a multi-domain-controller environment — the standard architecture for any Swiss organisation above SME scale — patching some controllers while others remain vulnerable does not reduce risk. Attackers with network access enumerate all DCs and target the unpatched ones. A half-patched domain provides no meaningful protection while consuming the maintenance window budget that could have been used for complete remediation. The attack surface is the set of all reachable DCs, not the set of vulnerable-minus-patched DCs.
This means the patching action for CVE-2026-41089 must be planned as a single-window operation: all domain controllers, including read-only domain controllers (RODCs) in branch offices and remote sites, patched simultaneously. For Swiss organisations with distributed infrastructure — cantonal governments with multiple data centres, bank branch networks, hospital groups spanning multiple campuses — this requires coordinated change management that is qualitatively different from standard rolling patch deployments.
The change management case is straightforward: present the vulnerability's blast radius (full domain compromise), the exploitation status (active, public PoC), and the single-window patching constraint as a deviation from standard procedure. Document the business justification explicitly. Change boards that understand the Zerologon precedent will approve this without extended review.
Swiss Active Directory Landscape and Exposure Surface
Switzerland's on-premises Active Directory footprint reflects its regulatory and infrastructure reality. FINMA-regulated entities maintain on-premises AD for data residency compliance and because many core banking and insurance systems are not yet cloud-integrated. Swiss cantonal administrations operate distributed multi-DC environments spanning multiple buildings and data centres. Hospital groups run AD as the authentication backbone for clinical systems where cloud dependency creates operational risk. Swiss industrial and manufacturing firms maintain on-premises AD for OT/IT integration.
Each of these environments has specific characteristics that affect the CVE-2026-41089 response plan. Multi-site organisations must account for inter-site replication topology when scheduling the patching window — all sites must complete before the window closes. Organisations with Azure AD Connect servers must verify that the connector server (which is typically AD-joined and network-accessible) is included in the patch scope. Environments using AD Federation Services must validate post-patch ADFS functionality before declaring the maintenance window closed.
Read-only domain controllers deserve specific attention. RODCs are commonly deployed at branch offices precisely because they are considered lower-security targets — but CVE-2026-41089 affects RODC behaviour under exploitation scenarios where an attacker uses the RODC as a stepping stone toward a writable DC via Netlogon replication traffic. RODCs must be patched in the same window as writable controllers.
Detection: Finding Exploitation Before and After Patching
Deploying detection logic before the patching window is not optional — it determines whether you are responding to a known-safe environment or an already-compromised one. The exploitation signature involves anomalous pre-authentication Netlogon RPC traffic: crafted packets to port 135 from unexpected sources, unusual session setup patterns in Netlogon event logs (Event ID 5805, 5807), and SYSTEM-level process creation on domain controllers outside normal management tooling.
Post-exploitation indicators concentrate in Active Directory audit logs: new accounts created in privileged groups (Domain Admins, Enterprise Admins, Schema Admins) outside normal provisioning workflows, modifications to AdminSDHolder that propagate privilege to otherwise-limited accounts, and changes to Kerberos ticket-granting service configurations. The Belgian CCB advisory (updated 29 May 2026) provides specific technical indicators of compromise — ingest these into your SIEM before beginning the patch window.
If exploitation indicators are found before patching, the response sequence inverts: the priority becomes containment and forensic preservation, not patch application. Patching a compromised DC without prior forensic capture destroys evidence and may mask the full extent of attacker activity. Engage your incident response process before applying the patch if your pre-patch scan reveals suspicious activity.
◆ Key Takeaway
CVE-2026-41089 requires a single-window patching operation covering every domain controller in the environment simultaneously. Partial patching is worse than no patching. Swiss IT teams must communicate this constraint explicitly to change management boards, deploy detection logic before the patch window, and verify complete AD audit health after patching — this is not a standard Patch Tuesday workflow.
- Inventory every domain controller in your environment immediately: writable DCs at all sites, read-only DCs in branch offices, Azure AD Connect servers, ADFS servers, and any VM running the Active Directory Domain Services role — all require the May 2026 cumulative update.
- Plan and execute DC patching in a single maintenance window; prepare a written justification for change management that explains why rolling patches are not acceptable for this specific vulnerability and cite the active exploitation status and public PoC availability.
- Deploy pre-patch detection before opening the maintenance window: ingest Belgian CCB IoCs (advisory updated 29 May 2026) into your SIEM, enable Netlogon audit logging at verbose level, and run a baseline AD privileged account audit to establish a known-good state.
- If pre-patch scans reveal suspicious indicators — unexpected SYSTEM-level activity on DCs, new privileged accounts outside provisioning workflows, anomalous Netlogon traffic — halt the patch plan and initiate incident response before proceeding.
- For environments where the patching window cannot be opened immediately: implement network-level ACLs restricting Netlogon RPC access (TCP 135 and the dynamic RPC port range, typically 49152–65535) to known management hosts and DC-to-DC replication sources only.
- After patching, run a complete AD health check: verify privileged group membership, check AdminSDHolder modifications, review Kerberos policy settings, and confirm replication health across all DC pairs.
- Assess whether this vulnerability meets the threshold for internal incident declaration under FINMA RS 2023/1 — confirmed active exploitation of a critical AD vulnerability in your sector qualifies as a significant ICT risk event in most Swiss financial sector risk frameworks, warranting at minimum a documented risk acceptance or accelerated remediation record.
CVE-2026-41089 will not be the last high-severity Netlogon or Active Directory vulnerability. The 2020s have produced a steady cadence of domain controller-targeting flaws — Zerologon, PrintNightmare, noPac — each with progressively shorter exploitation timelines. Swiss IT and security organisations that still operate on 30-day patch cycles for domain controllers are structurally misaligned with a threat environment where weaponised PoCs appear within days of disclosure. This vulnerability is an opportunity to recalibrate patching SLAs for crown-jewel infrastructure and to build the change management muscle needed to execute emergency single-window operations when the next domain-ending CVE arrives.