There's a scenario that haunts every IT security team: an attacker who needs no password, no insider knowledge, and no prior foothold — just network access and a crafted packet — walking through your front door and instantly owning every server, every account, and every share in your organization. That scenario is no longer theoretical. As of last week, it is happening in the wild.
**What happened**
On May 12, Microsoft quietly patched CVE-2026-41089, a critical vulnerability in Windows Netlogon — the service that underpins authentication across Windows domain environments — as part of its monthly Patch Tuesday release. The company initially classified the flaw as "less likely" to be exploited and assigned it a CVSS score of 9.8.
That assessment aged poorly. On May 29, Belgium's Centre for Cybersecurity (CCB) issued a public alert confirming active exploitation in the wild. Security researchers had already reverse-engineered the patch and published proof-of-concept code. Within days, multiple independent sources reported attempts against real-world domain controllers.
The technical details are sobering. CVE-2026-41089 is a stack-based buffer overflow in the Netlogon service. An attacker can trigger it by sending a single specially crafted network request to a domain controller — no authentication required, no user interaction needed. Successful exploitation grants the attacker remote code execution on the domain controller itself. In a Windows Active Directory environment, that is essentially game over: whoever controls the domain controller controls every user account, every workstation, every server, and every file share in the organization.
The flaw affects every supported version of Windows Server, from Windows Server 2012 through Windows Server 2025. Proof-of-concept exploit code is publicly available.
UT Austin's own security operations team identified approximately 156 systems on campus still showing vulnerability to this flaw as of June 2, with more than 3,700 vulnerable systems identified across the broader UT System.
**Why it matters for Texas institutions**
Domain controllers are the nervous system of virtually every university and state agency IT environment. They manage who can log in, what resources they can reach, and what policies govern their devices. At research universities, domain controllers protect access to research data, grant systems, and sensitive student records. At community colleges and state agencies, they are often the single point of control for the entire organization's digital operations.
A threat actor who achieves remote code execution on a domain controller doesn't just compromise one server — they can create new privileged accounts, disable security monitoring, deploy ransomware across the network, and exfiltrate data at will. Security experts have described CVE-2026-41089 as "a fast path to forest-wide takeover," meaning every system in the Active Directory forest becomes compromised, not just the initial target.
This threat is compounded by the speed at which it escalated. AI-assisted tools are enabling attackers to reverse-engineer patches and develop working exploits faster than ever before. The window between "patch available" and "attackers are using it" has collapsed from weeks to days. For institutions still working through their May Patch Tuesday backlog, that window may already be closed.
**What your institution should do**
Treat this as an emergency patch — not a routine update. CVE-2026-41089 patches should be applied to all domain controllers immediately, ahead of your normal patch cycle. Security experts are emphatic that partial patching is dangerous: apply the fix across all domain controllers in the same maintenance window, because a "half-patched forest" is not a defensible state for a pre-authentication domain controller vulnerability.
Prioritize the May 2026 Patch Tuesday updates on all Windows Servers. The relevant patches are KB5087538 (Windows 10/Server 2019), KB5087545 (Server 2022), KB5087539 (Server 2025), and KB5087537 (Windows 10/Server 2016). If you use legacy Windows Server versions (2008 R2, 2012, 2012 R2) that Microsoft no longer patches, Acros Security's 0patch service has issued micropatches as a temporary mitigation.
Restrict Netlogon traffic at the network layer. While patching is underway, limit which systems can communicate with your domain controllers via Netlogon. Firewall rules can reduce the attack surface significantly while patches are deployed.
Watch for early exploitation signals. The Netlogon service unexpectedly crashing or restarting, unusual authentication failures or domain trust errors, and anomalous Netlogon traffic from non-DC addresses are all potential signs of active exploitation. If you see these in your environment, escalate immediately.
Verify your patch status across the whole environment — including remote offices, research labs, and departmentally-managed systems. Run a full inventory scan to confirm every domain controller is patched, not just the ones you expect.
RSOC is actively monitoring this threat and is available to assist constituent institutions with guidance, threat hunting support, and incident response. Reach out at rsoc.utexas.edu.