{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2026-007.pdf"
    },
    "title": "Critical Vulnerability in Windows Netlogon",
    "serial_number": "2026-007",
    "publish_date": "10-06-2026 06:47:08",
    "description": "On 12 May 2026, Microsoft published a security advisory addressing a critical vulnerability affecting Windows Server when acting as a domain controller. This vulnerability allows an unauthenticated attacker to execute arbitrary code over a network.<br>\nAccording to The Centre for Cybersecurity Belgium (CCB), this vulnerability is currently exploited by threat actors. It is strongly recommended updating affected Windows servers as soon as possible. <br>\n",
    "url_title": "2026-007",
    "content_markdown": "---    \ntitle: 'Critical Vulnerability in\u00a0Windows\u00a0Netlogon'\nnumber: '2026-007'\nversion: '1.0'\noriginal_date: '2026-06-02'\ndate: '2026-05-10'\n---\n\n_History:_\n\n* _10/06/2026 --- v1.0 -- Initial publication_\n\n# Summary \n\nOn 12 May 2026, Microsoft published a security advisory addressing a critical vulnerability affecting Windows Server when acting as a domain controller [1]. This vulnerability allows an unauthenticated attacker to execute arbitrary code over a network.\n\nAccording to The Centre for Cybersecurity Belgium (CCB), this vulnerability is currently exploited by threat actors [2]. It is strongly recommended updating affected Windows servers as soon as possible. \n\n# Technical Details\n\nThe vulnerability **CVE-2026-41089**, with the CVSS score of 9.8, is a stack-based buffer overflow in Windows Netlogon [1].\n\nAn unauthenticated attacker could execute arbitrary code with SYSTEM privileges on targeted domain controllers by sending specially crafted packets [3].\n\n# Affected Products\n\nThe following Windows Server versions are affected:\n\n* Windows Server 2012 / 2012 R2\n* Windows Server 2016 (prior to 10.0.14393.9140)\n* Windows Server 2019 (prior to 10.0.17763.8755)\n* Windows Server 2022 (prior to 10.0.20348.5074)\n* Windows Server 2022 23H2 (prior to 10.0.25398.2330)\n* Windows Server 2025 (prior to 10.0.26100.32772)\n\nAdditional information is available in the vendor\u2019s advisory [1].\n\n# Recommendations\n\nIt is recommended updating affected Windows Server asset as soon as possible.\n\n# References\n \n[1] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089>\n\n[2] <https://ccb.belgium.be/advisories/warning-microsoft-patch-tuesday-may-2026-patches-118-vulnerabilities-16-critical-102#:~:text=It%20is%20now%20actively%20exploited%20in%20the%20wild>\n\n[3] <https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>10/06/2026 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 12 May 2026, Microsoft published a security advisory addressing a critical vulnerability affecting Windows Server when acting as a domain controller [1]. This vulnerability allows an unauthenticated attacker to execute arbitrary code over a network.</p><p>According to The Centre for Cybersecurity Belgium (CCB), this vulnerability is currently exploited by threat actors [2]. It is strongly recommended updating affected Windows servers as soon as possible. </p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2026-41089</strong>, with the CVSS score of 9.8, is a stack-based buffer overflow in Windows Netlogon [1].</p><p>An unauthenticated attacker could execute arbitrary code with SYSTEM privileges on targeted domain controllers by sending specially crafted packets [3].</p><h2 id=\"affected-products\">Affected Products</h2><p>The following Windows Server versions are affected:</p><ul><li>Windows Server 2012 / 2012 R2</li><li>Windows Server 2016 (prior to 10.0.14393.9140)</li><li>Windows Server 2019 (prior to 10.0.17763.8755)</li><li>Windows Server 2022 (prior to 10.0.20348.5074)</li><li>Windows Server 2022 23H2 (prior to 10.0.25398.2330)</li><li>Windows Server 2025 (prior to 10.0.26100.32772)</li></ul><p>Additional information is available in the vendor\u2019s advisory [1].</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating affected Windows Server asset as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://ccb.belgium.be/advisories/warning-microsoft-patch-tuesday-may-2026-patches-118-vulnerabilities-16-critical-102#:~:text=It%20is%20now%20actively%20exploited%20in%20the%20wild\">https://ccb.belgium.be/advisories/warning-microsoft-patch-tuesday-may-2026-patches-118-vulnerabilities-16-critical-102#:~:text=It%20is%20now%20actively%20exploited%20in%20the%20wild</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/\">https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}