Attackers are currently exploiting a critical vulnerability in the Netlogon code of Windows Server, enabling unauthorized access to networks. According to the Belgian Cybersecurity Authority (CCB), a specially crafted packet sent to the domain controller suffices for an attack. System administrators are urged to verify that the patches released by Microsoft in May are installed on their systems.
The vulnerability, identified as CVE-2026-41089, is characterized as a stack-based buffer overflow, which can be triggered through a prepared packet targeting the domain controller. A proof-of-concept exploit circulating on GitHub demonstrates that the overflow occurs within the username parameter of an LDAP packet (CLDAP Locator Ping) transmitted via UDP. While the PoC primarily causes the LSASS service to crash, Microsoft warns that code injection may also be feasible, justifying the critical CVSS score of 9.8.
Urgent Action Required
All supported versions of Windows Server, including the latest Windows Server 2025, are at risk. Organizations that have not yet installed the critical updates released on May 12 should do so immediately and should also inspect their logs for any signs of unauthorized access. According to the PoC author, examining system logs for CLDAP requests with unusually long "User" attributes or monitoring for LSASS crashes (Event ID 1000) can help identify potential breaches.
These security issues and the associated responses from Microsoft are subjects of intense scrutiny within the IT security community, particularly in light of recent incidents surrounding another researcher known as "Chaotic Eclipse."
For further details, see the official advisory from the Belgian Cybersecurity Authority and Microsoft’s update guide.