Back to Intelligence

CVE-2026-41089: Windows Netlogon Critical RCE — Detection and Remediation Guide

SA
Security Arsenal Team
May 13, 2026
7 min read

Introduction

Microsoft's May 2026 Patch Tuesday addresses a total of 137 vulnerabilities, but one stands out as a critical priority for every defender managing an Active Directory environment. CVE-2026-41089 is a remote code execution (RCE) vulnerability in the Windows Netlogon service, carrying a CVSS v3 base score of 9.8.

While Microsoft reports no active exploitation in the wild at this time, the severity of this flaw—specifically its potential to grant an attacker SYSTEM privileges on a Domain Controller—cannot be overstated. Successful exploitation of this stack-based buffer overflow provides the "keys to the kingdom," allowing an adversary to completely compromise the identity infrastructure of an organization. This post provides the technical breakdown, detection mechanics, and remediation steps necessary to secure your environment.

Technical Analysis

CVE-2026-41089 is a stack-based buffer overflow vulnerability located within the Windows Netlogon service (netlogon.dll). Netlogon is a core Authentication Service component that maintains the secure channel (Schannel) between domain-joined computers and Domain Controllers (DCs) for user authentication.

  • Affected Component: netlogon.dll (running within the context of the Local Security Authority Subsystem Service - LSASS).
  • Affected Platforms: Windows Server 2012 and later (Domain Controllers).
  • CVSS Score: 9.8 (Critical).
  • Attack Vector: Network.

The Mechanism of Compromise

From a defender's perspective, the vulnerability arises from improper handling of specific RPC calls made to the Netlogon service. An unauthenticated attacker on the local network can send specially crafted RPC requests to a Domain Controller.

Due to the lack of proper bounds checking in the vulnerable code segment, the data contained in the request can overflow the stack buffer allocated for the operation. This overflow overwrites the return address on the stack, allowing the attacker to redirect the execution flow to arbitrary code (shellcode) provided in the malicious packet.

Impact: Because the Netlogon service runs as SYSTEM (or effectively within lsass.exe which has SYSTEM privileges), any code executed via this exploit inherits those permissions. This allows the attacker to:

  1. Install malicious services or persistence mechanisms.
  2. Dump the NTDS.dit database (all credential hashes).
  3. Create Golden Tickets (Kerberos Ticket Granting Tickets) for total domain persistence.

Exploitation Status: There are currently no confirmed reports of active exploitation or public proof-of-concept (PoC) code. However, given the high value of Domain Controllers and the nature of the bug, reverse engineering of the patch is likely imminent. Defenders must treat this as a "wormable"-level threat.

Detection & Response

Detecting exploitation of CVE-2026-41089 requires monitoring for the effects of the code execution, as the overflow itself occurs in memory without leaving disk traces initially. The following rules and queries focus on detecting abnormal process execution patterns resulting from Netlogon exploitation and service instability.

SIGMA Rules

YAML
---
title: Suspicious Process Spawned by Lsass (Netlogon Context)
id: 8a5f2c11-1d2e-4f3a-9b8c-1d2f3b4c5d6e
status: experimental
description: Detects potential exploitation of a Netlogon RCE vulnerability by monitoring for suspicious child processes spawned by lsass.exe, which hosts the Netlogon service.
references:
  - https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/05/13
tags:
  - attack.privilege_escalation
  - attack.t1055
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\lsass.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  filter_legit:
    # Filter out known legitimate scanners if necessary, though lsass spawning cmd is rare
    User: 'NT AUTHORITY\SYSTEM'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate debugging by authorized administrators (rare)
level: critical
---
title: Netlogon Service Crash or Unexpected Stop
id: 9b6g3d22-2e3f-5g4a-0c9d-2e3g4c5d6e7f
status: experimental
description: Detects unexpected termination or restart of the Netlogon service, which may indicate a failed exploit attempt or buffer overflow crash.
references:
  - https://support.microsoft.com/en-us/topic/overview-of-netlogon-service-4e7c9367-6c8a-4b8e-8c3e-1d3f4b5c6d7e
author: Security Arsenal
date: 2026/05/13
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID: 7031 # Service Control Manager: Service terminated unexpectedly
    Provider_Name: 'Service Control Manager'
    ImagePath|contains: 'Netlogon'
  condition: selection
falsepositives:
  - Rare service instability due to network failures
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious child processes spawned by lsass.exe (Netlogon context)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "lsass.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName, SHA256
| order by Timestamp desc

// Check for Netlogon Service Crashes (Event ID 7031)
Event
| where Timestamp > ago(7d)
| where EventID == 7031
| extend RenderedDescription = tostring(RenderedDescription)
| where RenderedDescription contains "Netlogon"
| project Timestamp, Computer, RenderedDescription, EventData
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes spawned by lsass.exe which may indicate successful RCE
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Ppid IN (SELECT Pid FROM pslist() WHERE Name = "lsass.exe")
  AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")

-- Check Netlogon Service Status
SELECT Name, Status, Pid, BinaryPath
FROM win_service_info()
WHERE Name = "Netlogon"

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Audit and Remediation Script for CVE-2026-41089 (May 2026 Patch Tuesday)
.DESCRIPTION
    This script checks for the installation of the May 2026 security updates
    relevant to CVE-2026-41089 and verifies the Netlogon service status.
#>

# Define hypothetical patch IDs for May 2026 (Replace with actual KBs upon release)
# This script checks for updates installed after the Patch Tuesday release date.
$PatchTuesdayDate = Get-Date "2026-05-12"

Write-Host "[+] Checking for patches installed after May 2026 Patch Tuesday..." -ForegroundColor Cyan

try {
    $Hotfixes = Get-HotFix | Where-Object { $_.InstalledOn -gt $PatchTuesdayDate }
    
    if ($Hotfixes) {
        Write-Host "[+] Found recent security updates:" -ForegroundColor Green
        $Hotfixes | Format-Table HotFixID, InstalledOn, Description -AutoSize
    } else {
        Write-Host "[!] No patches found installed after $PatchTuesdayDate." -ForegroundColor Red
        Write-Host "[!] Please ensure the May 2026 Cumulative Update is applied immediately." -ForegroundColor Red
    }
} catch {
    Write-Host "[!] Error retrieving hotfix information: $_" -ForegroundColor Red
}

# Verify Netlogon Service State
Write-Host "\n[+] Verifying Netlogon Service State..." -ForegroundColor Cyan
$Netlogon = Get-Service -Name Netlogon -ErrorAction SilentlyContinue

if ($Netlogon) {
    Write-Host "Status: $($Netlogon.Status)"
    Write-Host "StartType: $($Netlogon.StartType)"
    
    if ($Netlogon.Status -ne 'Running') {
        Write-Host "[!] WARNING: Netlogon service is not running." -ForegroundColor Yellow
    }
} else {
    Write-Host "[!] WARNING: Could not query Netlogon service." -ForegroundColor Red
}

# Check for unusual lsass.exe child processes (Immediate check)
Write-Host "\n[+] Checking for suspicious child processes of lsass.exe..." -ForegroundColor Cyan
$lsass = Get-WmiObject Win32_Process -Filter "name='lsass.exe'"
if ($lsass) {
    $children = Get-WmiObject Win32_Process | Where-Object { $_.ParentProcessId -eq $lsass.ProcessId }
    if ($children) {
        Write-Host "[!] ALERT: Found child processes spawned by lsass.exe:" -ForegroundColor Red
        $children | Select-Object Name, ProcessId, CommandLine | Format-Table -AutoSize
    } else {
        Write-Host "[+] No suspicious child processes detected." -ForegroundColor Green
    }
}

Remediation

  1. Patch Immediately: Apply the May 2026 cumulative security updates to all Domain Controllers immediately. This is the only complete mitigation for this vulnerability.
  2. Vendor Advisory: Refer to the official Microsoft Security Update Guide for CVE-2026-41089 for specific KB articles relevant to your Server version (2012, 2016, 2019, 2022).
  3. Verify Patching: Use the PowerShell script above to confirm the patch installation date and validate file versions of netlogon.dll.
  4. Service Review: Monitor the Netlogon service for unexpected restarts in the days following patching to ensure stability.
  5. Network Segmentation: While patching is underway, ensure that critical management ports (TCP 445, RPC endpoints) are not exposed to untrusted networks, though blocking 445 internally is often not feasible for DC functionality.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoftcve-2026-41089netlogon

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action