Code execution possible: critical vulnerability in Windows Server exploited
The large May patch package had fixed the vulnerability in Windows Netlogon, now attackers are exploiting it. Admins should patch urgently.
(Image: heise online / dmk)
Attackers are exploiting a critical security vulnerability in the Netlogon code of Windows Server to break into networks. The Belgian cybersecurity authority CCB reports. Apparently, a manipulated packet to the domain controller is sufficient for the attack. System administrators should check as quickly as possible whether the patches provided by Microsoft in May are installed on their systems.
Videos by heise
The security vulnerability with the CVE identifier CVE-2026-41089 is a buffer overflow on the stack that can be exploited with a prepared packet to the domain controller. According to an alleged proof-of-concept exploit (PoC) circulating on GitHub, the overflow is in the username parameter of an LDAP packet (CLDAP Locator Ping) sent via UDP. Although the PoC only causes the LSASS service to crash, code injection is also possible according to Microsoft's assessment. This also explains the high CVSS score of 9.8 (rating critical).
Patch quickly and search for intruders
The security vulnerability affects all currently maintained versions of Windows Server, including the latest edition, Windows Server 2025. Microsoft already provided patches on May 12 -- those who haven't installed them yet should do so immediately. And check if unwanted visitors were already present on the unpatched server. According to the PoC author, they can search system logs for CLDAP requests with an unusually long "User" attribute or for LSASS crashes with Event ID 1000 (netlogon.dll).
Security vulnerabilities in Microsoft products and their handling by the Redmond software giant are currently the subject of heated debates in the IT security scene. These are mainly ignited by Microsoft's handling of the anonymous security researcher who goes by the name "Chaotic Eclipse".
(cku)
