The Great Exploitation of 2026 continues apace, with security vulnerabilities being published at an alarming rate, and more often than not, being exploited in the wild almost before anyone has any time to react. Today, Microsoft in the unfortunate limelight, with a 9.8-rated remote execution vulnerability affecting Windows Server domain controllers (DC), versions 2012 to current. The exploit and its explanation are simple: any unauthenticated user in the same network can send a malformed UDP packet to a DC and potentially get system access — no previous access required. Even if an attacker doesn't go that far, it's trivial for anyone to force the DC to reboot, creating potential denial-of-service scenarios.
The vulnerability is CVE-2026-41089, and it's mercifully not a zero-day this time. The vulnerable service is Netlogon, and there's apparently no mitigation, with the only solution being to patch the affected systems. The patch itself arrives in the May 12 Patch Tuesday, but there's a fair chance that a lot of DCs remain unpatched, particularly but not only older versions. Systems administrators might also find specific patch links and remediation scripts handy.
If an attacker can finagle this vulnerability to get System-level of access to domain controllers, the consequences are pretty up to the imagination. The malfeasant can create any number of accounts with all sorts of access levels, including Kerberos Ticket-Granting Tickets, enabling access to most all data across the entire domain. Since DCs often operate as part of a larger network in medium-to-large enterprises, just one vulnerable machine is enough to make the entire network insecure. Cybersecurity boffins recommend that administrators treat this as a worm-style threat and patch all their linked DCs at once, to avoid playing a game of whack-a-mole with high odds for the moles.
Microsoft stated that the vulnerability was not made public at the time, and that no ongoing attacks were using it, but the situation has changed since the discovery date, as recent reports have confirmed that it's now being exploited in the wild. As far as proof-of-concept goes, there's a GitHub repository with some sample code that forces the LSASS service to crash after a minute or so.
The technical details are simple and somewhat facepalm-inducing. The crafted network packet that triggers the vulnerability doesn't have anything all that fancy about it; it just contains one field that's larger than it should be. Data serialization logic in the Netlogon service combines the attacker-supplied data with the server's hostname, resulting in a classic buffer overflow — the most straightforward type of vulnerability.
Microsoft has been in security news quite often recently, mostly thanks to its ongoing spat with security researcher Chaotic Eclipse (aka Nightmare Eclipse), who published a heap of zero-days exploits after apparent negotiations with the company broke down. The situation is unclear, but has escalated to the point where Microsoft is now threatening Eclipse with legal action.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
