CyberBytes Daily

Trending cyberattacks, explained simply.

critical vulnerability

How a single UDP packet to any unpatched domain controller hands attackers the keys to every system in your network

One packet. No password. No phishing link. No insider access. A single message sent over the network to port 389 on an unpatched Windows domain controller is enough to crash the server, reboot it, and, in a more targeted attack, give an adversary complete control of every computer, account, and credential in your organization. That is not a hypothetical. Belgium's national cybersecurity authority confirmed active exploitation on May 29, 2026, seventeen days after Microsoft patched the flaw and initially rated it as "Less Likely" to be exploited.

The vulnerability, tracked as CVE-2026-41089, lives inside Windows Netlogon, the service that handles authentication for every domain-joined computer in a Windows network. The bug is a unit-confusion error: a function that writes strings into a fixed memory buffer counts characters in the wrong unit, causing it to write twice as much data as it thinks it is writing. The result is a stack buffer overflow that corrupts the memory of lsass.exe, the process that holds every credential on the domain controller. Successful exploitation does not just compromise one server. It compromises the entire Active Directory domain and every system joined to it.

The detail that should concern every organization running Windows: a public proof-of-concept crash script was released to GitHub before exploitation began in the wild, and multiple security firms now report that multiple threat actors are actively using it. Microsoft, as of June 1, 2026, said it had found no evidence to support the exploitation claims. The patch exists. The window between "patch available" and "actively exploited" was seventeen days.

🟡 Level 2

Read the narrative

How the attack unfolded, phase by phase.

6 min read

🔴 Level 3

Go deeper

Technical mechanism, CVE, ATT&CK mapping, primary sources.

3 min read

Narrative · 6 min read

The Context

Active Directory is the identity backbone of most enterprise Windows networks. It answers the question "is this person allowed to log in?" for every domain-joined machine. Domain controllers are the servers that run Active Directory. They are Tier 0 assets: if an attacker controls a domain controller, they control the entire network.

Windows Netlogon is the service that makes domain controllers reachable. When a computer needs to find a domain controller, it sends a discovery ping over CLDAP (Connectionless Lightweight Directory Access Protocol, UDP port 389). The domain controller responds with its name, domain information, and other details. This exchange happens before any authentication. By design, it is open to any computer on the network.

CVE-2026-41089 is a critical flaw in that pre-authentication response handler. Microsoft patched it on May 12, 2026. Seventeen days later, Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation.

The Attack, Phase by Phase

Phase 1: The Vulnerable Component

Every domain controller runs Netlogon, listening on UDP port 389 for CLDAP discovery pings. This is normal traffic. Firewalls inside corporate networks typically allow it freely, because blocking it breaks logins.

The critical detail: Netlogon responds before any authentication takes place. Any machine on the network—or any attacker who has reached the internal network—can send a CLDAP ping with no credentials.

NORMAL CLDAP DISCOVERY FLOW💻1Computer needs to log inSends CLDAP ping to UDP port 389🖥️2Domain controller receives pingNo authentication required to receive📋3DC responds with its detailsName, domain, GUIDs serialized to bufferThis pre-authentication exchange is the attack surface. Any host on the network can trigger it.

Phase 2: The Bug Mechanics

Inside Netlogon, a function called NlGetLocalPingResponse allocates a 528-byte stack buffer to hold the response. It then calls BuildSamLogonResponse, which calls NetpLogonPutUnicodeString three times to write the server name, domain name, and other fields into that buffer.

The bug is a unit confusion error. NetpLogonPutUnicodeString receives a maximum size in bytes but treats it as a count of wide characters (each two bytes). Every string it writes consumes twice the space the function thinks it is consuming. The 528-byte buffer fills in half the expected writes.

An attacker exploits this by crafting a CLDAP ping with a long "User" field—up to 130 wide characters—and a version flag (NtVer) that routes the response through the vulnerable function. The combined writes overflow the 528-byte boundary, corrupting adjacent stack memory in lsass.exe. The entire attack is one UDP packet, taking roughly ten seconds.

ATTACKER SENDS CRAFTED CLDAP PACKET📦1Craft malicious CLDAP packetLong User field plus NtVer bits 2-3 clear📡2Send single UDP packet to port 389No credentials, no prior access needed⚠️3Unit confusion doubles write size528-byte buffer overflows into stack💥4lsass.exe stack memory corruptedDC crashes and reboots in about 60 secondsThe overflow is triggered by the server's own DNS name combined with the attacker-supplied username.

Phase 3: From Crash to Forest Takeover

The public proof-of-concept demonstrates a reliable crash: lsass.exe terminates with a stack buffer security check failure, forcing the domain controller to reboot within sixty seconds. That alone is a denial-of-service against authentication for the entire domain.

The more serious scenario is code execution. Because lsass.exe runs with SYSTEM privileges, an attacker who achieves code execution inside it gains complete control of the domain controller. From there, full network takeover is fast and well-documented.

With SYSTEM access on a domain controller, an attacker can extract every credential hash using DCSync, which mimics the replication protocol domain controllers use to synchronize. They can extract the krbtgt secret—the master key for Kerberos authentication—and forge tickets for any account in the domain (a Golden Ticket attack). Those tickets grant access to every domain-joined system. One unpatched domain controller in a forest of ten is sufficient.

POST-EXPLOITATION: ONE DC TO FULL FOREST🔓1Code execution in lsass.exeSYSTEM privileges on domain controller🗄️2DCSync: extract all credential hashesEvery domain account password hash stolen🔑3Extract krbtgt secret keyMaster key for all Kerberos authentication🎫4Forge Golden TicketsImpersonate any account, forever🌐5Lateral movement to entire forestEvery domain-joined system now accessible💀Full domain compromiseAll accounts, all systems, all dataA single unpatched DC in a multi-DC forest is sufficient for full forest takeover.

Phase 4: The Disclosure-to-Exploitation Collapse

Microsoft patched CVE-2026-41089 on May 12, 2026, rating it "Less Likely" to be exploited. Within days, security firm Aretiq AI reverse-engineered the patch, identified the vulnerable function, documented the full attack chain, and published a root-cause analysis. A public PoC crash script appeared on GitHub shortly after. Seventeen days after the patch, CCB confirmed active exploitation.

The gap between "vendor says less likely" and "national cybersecurity authority confirms active exploitation" was under three weeks. Automox CTO Jason Kikta put it plainly: "half-patched forests are not a defensible state for a pre-auth DC bug."

17-DAY ARC FROM PATCH TO EXPLOITATION🩹1May 12: Microsoft patches CVERates exploitation as Less Likely🔬2May 12-28: Aretiq AI reverse-engineers patchRoot cause and PoC published publicly📂3PoC crash script on GitHubAny attacker can now trigger the bug🚨4May 29: CCB confirms active exploitation17 days after Less Likely ratingAI-assisted patch diffing compressed the research timeline from months to days.

What Made This Possible

The pre-authentication attack surface. Netlogon must respond to CLDAP pings before it knows who is asking. That is a design requirement. But it means any memory corruption bug in that handler is reachable by any attacker who can send a UDP packet to port 389—no credentials required.

Unit confusion in a critical path. The byte/WCHAR confusion in NetpLogonPutUnicodeString is easy to introduce and hard to catch in code review. The function signature looks correct. The compiler does not flag it. Tests using short strings do not trigger it.

Vendor exploitability ratings have a shrinking shelf life. Microsoft's "Less Likely" rating was accurate on May 12. It was not accurate on May 29. AI-assisted reverse engineering compressed the research timeline from months to days. Patch prioritization based on vendor ratings must account for how quickly that rating can become obsolete.

What Should Have Stopped This

  • Patch all domain controllers in the same window. Update KB5089549 fixes the bug. A forest with one unpatched DC is a forest with an open door. Tier 0 systems are not candidates for phased rollouts.
  • Restrict CLDAP access at the network perimeter. UDP port 389 should not be reachable from untrusted segments. Limit which hosts can send CLDAP traffic to domain controllers.
  • Monitor for anomalous CLDAP traffic. Normal DC locator pings use short usernames. A CLDAP SearchRequest with a "User" field longer than 20-30 characters is anomalous and should trigger an alert.
  • Monitor lsass.exe for unexpected crashes. Windows Event ID 1000 tied to netlogon.dll is a host-level indicator. An lsass.exe crash is never normal and should be treated as a critical incident.
  • Apply micropatches for legacy systems. Organizations running Windows Server 2008 R2, 2012, or 2012 R2 can apply micropatches from Acros Security's 0patch service.

The Takeaway

CVE-2026-41089 is not primarily a story about a memory corruption bug. It is a story about what happens when the authentication fabric of an entire network is reachable before authentication takes place. Netlogon is the trust boundary every other security control in a Windows network depends on. A pre-authentication flaw in it is not one server at risk—it is every server at risk.

Tier 0 components require a separate, faster patch timeline than the rest of the environment, driven by vulnerability severity and component criticality—not vendor exploitation-likelihood labels that can become obsolete in seventeen days.

Pattern to remember: A pre-authentication flaw in an identity service is not a server vulnerability. It is a domain vulnerability. Every system that trusts that identity service inherits the exposure.

What changed: Vendor exploitability ratings are now a starting point for risk assessment, not a conclusion. AI-assisted patch diffing means the gap between "patch released" and "reliable exploit available" can collapse to days, making the rating obsolete before most organizations finish their patch cycle.

Technical Deep Dive · 3 min

The Technical Mechanism

CVE-2026-41089 is a stack-based buffer overflow (CWE-121) in netlogon.dll, specifically in the function NetpLogonPutUnicodeString called from BuildSamLogonResponse during CLDAP DC locator ping response processing.

Root cause: byte/WCHAR unit confusion. NlGetLocalPingResponse allocates a 528-byte (0x210) stack buffer and passes it to BuildSamLogonResponse. That function calls NetpLogonPutUnicodeString three times to serialize the server name, DNS domain name, GUIDs, and the attacker-supplied User field from the CLDAP filter. The function receives a maximum-length parameter in bytes but internally treats it as a WCHAR (2-byte) count, causing each write to consume twice the expected space. No bounds check is applied before writing.

Attack trigger. The attacker sends a single CLDAP SearchRequest to UDP port 389 with:

  • The User filter attribute set to up to 130 wide characters (260 bytes on the wire)
  • The NtVer field set to a value with bits 2-3 clear (e.g., 0x02000000), which routes the response through BuildSamLogonResponse rather than the patched BuildSamLogonResponseEx

The combined writes from the DC's own DNS domain name, hostname, and the attacker-controlled username push the total serialized data past the 528-byte boundary, overwriting adjacent stack memory in lsass.exe.

Full call chain:

  • ntdsai!LDAP_CONN::SearchRequest
  • ntdsai!LDAP_GetRootDSEAttNetlogon
  • netlogon!I_NetLogonLdapLookupEx
  • netlogon!NlGetLocalPingResponse (allocates 528-byte stack buffer)
  • netlogon!LogonRequestHandler
  • netlogon!BuildSamLogonResponse
  • netlogon!NetpLogonPutUnicodeString (three unbounded calls)
  • netlogon!NlpUtf8ToCutf8 (DNS names overflow past buffer end)

Exploitability constraints. The GS stack cookie on modern Windows builds constrains straightforward return address hijacking. The overflow bytes include partially server-controlled DNS name data rather than purely attacker-controlled content. However, Aretiq AI and multiple security firms assess that return-oriented programming (ROP) chains can achieve reliable code execution on domain controllers with DNS domain names of approximately 50 or more characters, which increases the overflow magnitude. The public PoC demonstrates reliable LSASS crash (0xc0000409 stack buffer security check failure) and DC reboot within approximately 60 seconds. Full RCE is assessed as achievable on targeted configurations.

The patch. The patched netlogon.dll (included in KB5089549) enables Feature_404993339, causing BuildSamLogonResponse to call a new version of NetpLogonPutUnicodeString that uses RtlStringCbCopyExW with a correct byte-count budget.

VULNERABLE CALL CHAIN INSIDE LSASS.EXE📡1CLDAP SearchRequest arrivesUDP port 389, no auth required🔗2LDAP_CONN::SearchRequestRoutes to Netlogon handler📦3NlGetLocalPingResponseAllocates 528-byte stack buffer✍️4NetpLogonPutUnicodeString x3Byte/WCHAR confusion: 2x write size💥5Buffer boundary exceededStack memory in lsass.exe corruptedThe unit confusion bug causes every string write to consume twice the space the function believes it is consuming.

CVE and Advisories

  • CVE-2026-41089: Windows Netlogon Remote Code Execution Vulnerability. CVSS 3.1: 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. CWE-121 (Stack-based Buffer Overflow).
  • Microsoft Security Response Center advisory: Patch included in May 2026 Patch Tuesday (KB5089549). Fixed build numbers: Server 2016 10.0.14393.9140, Server 2019 10.0.17763.8755, Server 2022 10.0.20348.5074, Server 2022 23H2 10.0.25398.2330, Server 2025 10.0.26100.32772.
  • CCB Advisory (updated May 29, 2026): First national cybersecurity authority to confirm active exploitation in the wild.
  • No CISA KEV listing confirmed as of June 7, 2026.

MITRE ATT&CK Mapping

Technique IDATT&CK nameHow it appeared
T1190Exploit Public-Facing ApplicationCLDAP DC locator service on UDP port 389 is exploited via a single crafted packet requiring no authentication.
T1068Exploitation for Privilege EscalationStack buffer overflow in lsass.exe yields SYSTEM privileges on the domain controller.
T1003.006OS Credential Dumping: DCSyncWith SYSTEM access on a DC, attacker replicates all credential hashes from Active Directory using the DCSync technique.
T1558.001Steal or Forge Kerberos Tickets: Golden TicketExtraction of the krbtgt account secret enables forgery of Kerberos tickets for any account in the domain.
T1210Exploitation of Remote ServicesForged Kerberos tickets enable lateral movement to every domain-joined system in the forest.
T1562.001Impair Defenses: Disable or Modify ToolsAttacker with DC-level SYSTEM access can disable security tooling, modify Group Policy, and suppress logging across the domain.

Indicators of Compromise

No indicators of compromise (IOCs) have been published by the CCB, Microsoft, or any named threat intelligence firm as of June 7, 2026. Attribution remains unconfirmed.

Network Indicators

  • CLDAP SearchRequest packets on UDP port 389 where the User filter attribute exceeds 20-30 characters. Normal DC locator pings use short service account names. Anomalously long User fields are a reliable signal.
  • Malformed RPC or Netlogon authentication requests containing unusually large string inputs over TCP port 135 or dynamic RPC ports 49152-65535.

Host Indicators

  • Windows Event ID 1000 (application crash) tied to netlogon.dll or lsass.exe. An lsass.exe crash is never normal and should be treated as a critical incident.
  • Unexpected child processes spawned by the Netlogon service.
  • Unexpected memory injections into lsass.exe.
  • Unexpected DCSync replication requests originating from non-DC hosts (detectable via Event ID 4662 with replication permissions).

Detection difficulty: Because the attack is a single UDP packet with no preceding authentication or session establishment, traditional session-based detection approaches will not catch the initial exploit. Network-level inspection of CLDAP traffic content is the primary pre-compromise detection opportunity.

Attribution

Unattributed. The CCB confirmed active exploitation on May 29, 2026, citing intelligence from "trusted partners," but has not named a specific threat actor, group, or nation-state. Microsoft stated as of June 1, 2026, that it found no evidence to support the CCB's exploitation claims, while recommending patching. Orca Security and Deepwatch describe "multiple threat actors" exploiting the vulnerability without naming specific groups. No credible nation-state attribution has been made by any threat intelligence firm as of June 7, 2026.

Primary Sources

  1. 01.
    CVE-2026-41089 - Security Update Guide - Microsoft

    Microsoft Security Response Center (MSRC) · May 12, 2026

  2. 02.
  3. 03.
  4. 04.
  5. 05.
  6. 06.
  7. 07.
    Patch Tuesday - May 2026

    Rapid7 · May 12, 2026

  8. 08.