Microsoft’s May 2026 Patch Tuesday brought a stark reminder that network topology matters as much as patch speed. Among the 60+ vulnerabilities fixed this month, CVE-2026-41089 stands out—a critical remote code execution (RCE) bug in the Netlogon protocol that can give an unauthenticated attacker full control of a domain controller. The advisory’s primary directive is unusual: do not simply patch all domain controllers as fast as possible; instead, prioritize based on reachability. Specifically, Microsoft warns: “Patch CVE-2026-41089 first on any domain controller that is reachable from outside the tightly controlled server networks you trust: internet-facing paths, partner routes, broad VPN pools, lab network.”

This targeted advice signals that the vulnerability is trivially exploitable from remote, uncredentialed contexts, but only if the attacker can send malicious packets to the domain controller. For many organizations, that excludes internal-only DCs but leaves a disturbing number exposed.

What is CVE-2026-41089?

CVE-2026-41089 is a memory corruption vulnerability in the Netlogon Remote Protocol (MS-NRPC) that allows an attacker to execute arbitrary code on the domain controller without authentication. Unlike the infamous Zerologon (CVE-2020-1472), which allowed privilege escalation to domain admin, this flaw directly leads to code execution with SYSTEM privileges. The CVSS v3.1 score is 9.8 (Critical), with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. That means network attack, low complexity, no privileges, no user interaction. In short, a worst-case scenario.

Microsoft has confirmed that all supported versions of Windows Server with the Active Directory Domain Services role are affected. This includes:

  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016

Domain controllers running on Server Core are equally vulnerable. The flaw resides in the cryptographic handshake mechanism of Netlogon; an attacker can send specially crafted Netlogon messages to the DC and trigger heap corruption, leading to remote code execution as the Local System account.

Why Reachability Matters More Than Standard Patching Order

The typical enterprise patching cadence often starts with test systems, then moves to production in waves, prioritizing based on business criticality. But CVE-2026-41089 flips that logic. Because the attack vector is exclusively network-based, a domain controller that cannot be reached by an attacker is effectively invulnerable—even if unpatched—as long as network isolation remains intact. Conversely, a domain controller that is reachable via any untrusted network path is a ticking time bomb.

Microsoft’s advisory explicitly enumerates the dangerous exposure types:

  • Internet-facing paths: Any DC with a public IP address or one-to-one NAT, or with ports 135, 445, or 49664-49668 (RPC) open from the internet.
  • Partner routes: Connections to business partners, vendors, or contractors that might extend the corporate network into less-controlled environments.
  • Broad VPN pools: VPN termination points that assign remote users to the same subnet as domain controllers, or that allow full network-layer access to DCs.
  • Lab networks: Research or development environments that have connectivity to production domain controllers, either routable or via trust relationships.

In each case, the common thread is that an attacker outside your tightly managed server network—the set of networks you trust and rigorously protect—can send packets directly to the DC’s Netlogon interface. If you have any doubt about whether a domain controller is reachable from untrusted networks, err on the side of patching it immediately.

Immediate Steps: Identify Exposed Domain Controllers

Before deploying the patch, you must map your domain controller exposure. Use both active scans and network documentation reviews:

  1. Run a port scan from external vantage points (or from partner networks, VPN pools) against your DCs’ IP addresses, checking for open Netlogon-adjacent ports: TCP 135, TCP/UDP 445, TCP 139, and TCP dynamic RPC ports. Tools like Nmap or Masscan can help.
  2. Audit firewall and router ACLs to confirm which source IP ranges and zones are permitted to connect to these ports.
  3. Review VPN configurations: Check whether VPN clients are assigned IPs in segments that can route to domain controllers without firewall restrictions.
  4. Inspect Active Directory sites and services to see if any DCs have IP addresses in public or semi-public subnets.
  5. Consider trust relationships: A domain controller in your forest that is accessible from another forest or domain via external trust might be reachable by an attacker who has compromised that external domain.

Document every domain controller that shows exposure. This list is your immediate-patch list.

Patch Deployment Order

Microsoft recommends the following sequence for CVE-2026-41089:

  • Phase 1 (Hours, not days): Patch all domain controllers that are reachable from non-trusted networks. Do not wait for a regular maintenance window; treat it as a critical break-fix change. These DCs are under active risk of exploitation.
  • Phase 2 (Within 48 hours): Patch all remaining domain controllers, even those on isolated segments. While internal-only DCs are not directly exploitable from the internet, a pivot from a compromised internal endpoint could still target them. Also, applying the patch ensures the domain is uniformly protected against future network misconfigurations.
  • Phase 3 (Ongoing): Monitor for exploitation attempts using detection rules provided by Microsoft (see below).
  • Phase 4: Once all DCs are patched, consider enabling enforcement mode if applicable. (Note: For CVE-2026-41089, the patch fixes the code execution entirely; no post-patch enforcement steps like those needed for CVE-2020-1472 are required.)

Workarounds and Mitigations for Unpatchable Systems

If you cannot immediately patch an exposed domain controller—for instance, due to compatibility concerns or change freeze—apply these compensating controls:

  • Block Netlogon-necessary ports at the perimeter firewall: Deny inbound TCP ports 135, 139, 445, and 49664-49668 from all untrusted sources. This is the most effective pre-patch mitigation. If you must maintain file-sharing or remote management, restrict those ports to specific trusted IP ranges.
  • Use Windows Firewall to restrict RPC dynamically: On the DC itself, create inbound rules to allow Netlogon RPC only from trusted subnets. For example, block port 49668 from untrusted networks.
    powershell New-NetFirewallRule -DisplayName “Block RPC from Untrusted” -Direction Inbound -Protocol TCP -LocalPort 49664-49668 -RemoteAddress 192.168.0.0/16,10.0.0.0/8 -Action Block
  • Disable Netlogon RPC sealing: Some older clients may not support sealing, but if you can, enforce RPC signing and sealing to increase attack complexity. This does not fully mitigate the flaw but may block some exploit variants.
  • Enable RPC packet-level authentication: Via Group Policy, set “Network security: Restrict NTLM: Incoming NTLM traffic” and similar policies to limit Netlogon’s exposure.
  • Isolate domain controllers to a dedicated management VLAN: Ensure that only management workstations and required servers can communicate with DCs on relevant ports.

These workarounds are not permanent fixes; they merely buy time. Apply the patch as soon as feasible.

Detection and Response

Microsoft Defender for Identity and Microsoft 365 Defender have detection capabilities for exploitation of CVE-2026-41089. Enable the following alerts:

  • Suspicious Netlogon protocol behavior
  • RPC anomaly detection
  • Account enumeration patterns from non-domain-joined machines

On domain controllers, look for event IDs 5827 and 5828 in the System log, which indicate Netlogon session denials or unusual handshake failures. Also, monitor for unexpected LSASS.exe crashes, which might indicate failed exploit attempts.

If you suspect exploitation has already occurred, investigate for signs of persistence: new domain admin accounts, scheduled tasks, or suspicious services. Because the attacker gains SYSTEM context, they can create a golden ticket or dump the NTDS.dit database.

Background: Netlogon’s Growing Attack Surface

The Netlogon protocol has been a security sinkhole in recent years. After Zerologon forced Microsoft to rollout domain controller enforcement, researchers have heavily scrutinized the protocol’s cryptographic underpinnings. CVE-2026-41089 appears to be another flaw in the protocol’s parsing logic, unrelated to the cryptographic bypass used in 2020. It underscores the fact that protocols designed in the 1990s for trusted LANs are dangerously brittle when exposed to modern network boundaries.

Microsoft has not detailed the exact technical root cause, but the advisory categorizes it as a “heap-based buffer overflow” in the Netlogon function that processes authentication tokens. This suggests that simply fuzzing the protocol’s messages can yield crashes, and researchers likely discovered a way to turn that into arbitrary code execution.

Broader Implications for Domain Controller Security

CVE-2026-41089 is a wake-up call to reassess domain controller network hardening. Best practices have always recommended keeping DCs on isolated subnets with strict firewall rules, but many organizations have laxed over time—especially with cloud migrations and hybrid identities. If any domain controller is reachable via SSH, RDP, or even ICMP from an untrusted network, chances are Netlogon ports are also exposed.

After patching, use this opportunity to:

  • Implement micro-segmentation around domain controllers.
  • Deploy a jump box solution for administrative tasks so that no direct RDP or SMB connections from user subnets are needed.
  • Regularly audit firewall rules that affect DCs.
  • Adopt continuous vulnerability scanning that highlights exposed domain controllers.

The Road Ahead

Microsoft has indicated that no exploit code has been publicly released yet, but the nature of the vulnerability makes reliable exploitation likely. Security researchers hope that by highlighting the reachability-first patching strategy, Microsoft is hinting that exploits may be easier than usual to develop. In any case, the window before active scanning begins is short—often measured in hours, not days, after Patch Tuesday.

For domain administrators, the message is clear: stop your regular patch cycle and triage all domain controllers now. Identify every DC that can be reached from outside your trusted server enclave, and patch those first. The unusual guidance reflects a vulnerability that turns ordinary network reachability into an immediate system compromise.

If you haven’t already, download the update from the Microsoft Update Catalog or Windows Server Update Services, grab a coffee, and start with your internet-facing domain controllers. Then burn the rest of the list before the end of the week. Your Active Directory forest depends on it.