What CVSS v3.1 base score does CVE-2026-41089 carry?

Correct answer: 9.8 Correct: c. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 10.0 would require a "scope changed" component which this bug does not have because the impact stays within the affected component. 7.5 and 8.8 would imply some form of user interaction or authentication requirement, both of which are absent.

Sneha at Infosys has to patch a Windows Server 2022 DC for CVE-2026-41089. Which Microsoft KB should she install?

Correct answer: KB5058411 Correct: b. KB5058411 is the May 2026 Server 2022 cumulative update that contains the Netlogon fix. (a) is for a different Server version. (c) is from April and predates the disclosure. (d) is a common misconception — the SSU (Servicing Stack Update) does NOT include the LCU; both must be deployed.

Priya at Wipro is mid-patch. After KB5058411 installs, DC03 reboots but the Netlogon secure channel to a member server breaks. What is her correct next step?

Correct answer: Wait ~10 minutes and run Test-ComputerSecureChannel -Repair from the member server Correct: a. Transient secure-channel errors after a DC reboot are normal — the channel rebuilds in minutes. (b) is the panic move that re-exposes you to the CVE. (c) is wildly over-reactive. (d) disables the very protection the patch enables and reopens the org to ZeroLogon-class attacks.

Karthik at Flipkart wants a one-line check across 14 DCs to confirm the Netlogon patch is installed. Best command?

Correct answer: Invoke-Command -ComputerName (Get-ADDomainController -Filter *).Name { Get-HotFix -Id KB5058411 } Correct: d. Fan-out over WinRM with Get-HotFix filtered to the specific KB is the right tool. (a) only tells you the service runs — every DC's service runs by definition. (b) checks secure-channel health, not patch status. (c) shows recent log entries but does not prove the patch is installed.

Rahul's SOC sees the Netlogon service on DC02 crash and auto-restart three times in 8 minutes. tcpdump on DC02's interface shows oversized MS-NRPC requests from 10.42.10.99. Most likely diagnosis?

Correct answer: Active exploitation attempt of CVE-2026-41089 from 10.42.10.99 Correct: c. Repeated Netlogon crashes correlated with oversized inbound MS-NRPC packets from a single source = textbook exploit attempt. (a) and (b) would not produce the specific oversized-RPC pattern. (d) Kerberos uses port 88, not Netlogon RPC, and does not cause the service to crash. Action: isolate 10.42.10.99, snapshot DC02, hunt for SYSTEM-level child processes spawned by lsass.exe.

Aditya at HCL Lucknow sees Event ID 5805 firing on DC04 every 30 seconds for two days. No service crash. No oversized packets. Most likely cause?

Correct answer: Benign clock skew or stale machine-account password on a member server Correct: b. Event 5805 alone, without correlated crashes or oversized RPC, is most commonly clock skew or a stuck machine-account password. This is exactly the false-positive trap mentioned in Common Mistakes — Event 5805 is necessary but not sufficient. Correlate with Event 7034 (Service Control Manager — Netlogon crash) before going to (a) or (c).

How does CVE-2026-41089 fundamentally differ from CVE-2020-1472 (ZeroLogon)?

Correct answer: 41089 is a memory-corruption RCE; ZeroLogon was a crypto flaw fixable by enforcing secure-channel signing Correct: b. The bug classes are different: ZeroLogon abused an AES-CFB8 initialization vector reuse to zero out the DC's machine-account password — fixable via the FullSecureChannelProtection registry enforcement. 41089 is a stack buffer overflow; only the binary patch fixes it. There is no policy workaround. (a), (c), and (d) are all factually wrong.

Why does Netlogon's compromise translate to full domain compromise?

Correct answer: Netlogon runs as SYSTEM inside lsass.exe — that process holds the NTDS credential store and the krbtgt key material; reading lsass = domain takeover Correct: d. The privilege escalation is automatic: code execution inside lsass.exe = SYSTEM = read access to NTDS.dit (every account hash) and the krbtgt password (Golden Ticket forging). (a) is wrong — Netlogon runs as SYSTEM, not user. (b) is unrelated. (c) is a misconception; Netlogon does not decrypt Kerberos tickets.

A 5,000-user Indian SI firm has 24 DCs across 6 sites. The CISO asks: "should we deploy detection rules first and then patch, or patch first and then detect?" What is the right call?

Correct answer: Patch DCs first (in correct FSMO order) — detection rules are valuable but cannot stop an in-flight exploit; the binary patch is the only true mitigation. Stand up detection rules in parallel for any unpatched window. Correct: b. Detection is necessary but not sufficient — by the time the rule fires, the attacker is already SYSTEM. Patch is the only true preventive. Run both tracks in parallel: emergency-patch the DCs in correct FSMO order over the next 24 hours while detection rules cover the gap. (a) accepts unacceptable risk on critical infrastructure. (c) breaks the entire domain. (d) is reactive theater.

You are designing a high-fidelity detection rule for CVE-2026-41089 in Splunk. Which event-correlation logic is the strongest signal?

Correct answer: Alert on bursts of Event 5805 + 5827-5831 from a single src_ip within 5 minutes, AND a correlated Event 7034 "Netlogon service crashed" within 10 minutes Correct: c. High-fidelity detection requires correlation of the pre-exploit pattern (malformed RPC events from one source) with the post-exploit signal (the Netlogon service actually crashing). (a) drowns the SOC in 5805 false positives from clock skew. (b) is normal admin behavior. (d) is false — modern exploits often complete in milliseconds with no CPU spike. Correlation across the kill chain is the difference between an L1 alert flood and an L2-grade rule.

CVE-2026-41089: How One Netlogon Packet Can Take Down Your Entire Active Directory

The TCS office ID-card panel — a story you already know

You work at the TCS Bengaluru office. Every morning when Sneha swipes her ID card on the entry panel, a silent conversation happens. The panel asks the central security system: "is this Sneha, is she still on payroll, what floors can she enter?" The central system answers in milliseconds. Sneha never sees the conversation. It just works — 50,000 times a day, across every door.

Now imagine someone walks up to the panel itself, jams a thin metal pin into a specific slot, and the panel responds by handing them the master key to every door in the building. They did not pretend to be Sneha. They did not steal her card. They just exploited the panel's own firmware. That is CVE-2026-41089. The panel is your domain controller. The silent conversation is Netlogon. The master key is full SYSTEM on every machine your AD touches.

Why this matters — in 10 seconds and in a paycheck

If you are sitting in an interview next week, this is the question. "A CVE dropped this month rated 9.8 against Windows DCs. Tell me what it does, how you would detect it, and what you would patch first." Get the answer wrong and the panel moves on. Get it right and you have separated yourself from every candidate who memorised buzzwords without learning the protocol underneath.

Why does the security industry care so much? Because compromising a domain controller is compromising the domain itself. A DC holds the NTDS.dit credential database, the Kerberos signing key (krbtgt), and the trust relationships with every member server and workstation. One DC down = every server, every desktop, every laptop, every cloud-joined identity, every Exchange mailbox — all yours.

!Why "patch later" is the wrong answer

When ZeroLogon (CVE-2020-1472) was published, public exploit code dropped within 48 hours and organisations that delayed patching for a quarterly maintenance window were hit by Conti, Ryuk, and several Indian-targeted ransomware crews. CVE-2026-41089 had functional exploit code circulating within hours of disclosure on 12 May 2026. The window between disclosure and weaponisation is no longer "weeks." It is one workday.

What Netlogon actually is — the core concept

Netlogon is the Windows Remote Procedure Call (RPC) service that handles three quiet jobs:

User logon authentication — when Rahul logs into his TCS laptop, his workstation does not talk to AD with his password. It hands the password to its Netlogon client, which runs an encrypted challenge-response over the MS-NRPC protocol against a DC.
Machine-account password rotation — every domain-joined PC has a machine account whose password rotates every 30 days. Netlogon is what rotates it.
DC-to-DC replication trust — when two DCs need to verify each other before replicating Active Directory data, they shake hands over Netlogon's secure channel.

Critically, the Netlogon service runs inside lsass.exe on every DC, and lsass.exe runs as NT AUTHORITY\SYSTEM. That is the privilege the bug hands to the attacker. Not Administrator. SYSTEM. On the DC.

SVG 1 — Netlogon's position in an AD network

Every domain-joined device talks to a DC over MS-NRPC. The bug lives inside the Netlogon component on the DC — the same component that answers every authentication request. That is what makes the attack surface enormous.

👩‍💻 Scenario — Sneha at Infosys Pune

Sneha is an L1 SOC analyst. Her CISO walks past her desk on 13 May 2026 and asks: "are our DCs running Netlogon?" The trick question — every DC has Netlogon running. There is no "off." It's how the AD service exists. The right answer is "yes, on every DC by design — that is exactly why CVE-2026-41089 is rated 9.8."

How CVE-2026-41089 actually fires

The bug is a stack-based buffer overflow in Netlogon's message-handling code. Netlogon writes attacker-controlled bytes into a fixed-size stack buffer without checking the length. Because the buffer sits on the stack, the overflow can overwrite the function's saved return address. The attacker chooses what that overwritten return address points to — typically into a small payload they embedded earlier in the same packet, or into a ROP chain made of existing Netlogon code gadgets. Either way, execution lands wherever the attacker chose, running as SYSTEM, inside the Netlogon service.

What is unusual here is the pre-authentication property. The attacker does not need a domain user account. They do not need to be on the AD-joined LAN. They just need TCP/UDP reachability to the DC's RPC endpoint mapper on port 135 and the dynamic high port Netlogon negotiates afterwards. In a flat enterprise LAN — and most Indian enterprise networks are flatter than the architects admit — that means any compromised workstation can pivot to DC SYSTEM in one packet.

SVG 2 — The five steps from packet to domain compromise

Steps 1-3 happen pre-authentication. By step 4 the attacker owns the DC itself. By step 5 they own the domain — and "rebuilding AD from scratch" is now on the table.

👩‍💻 Scenario — Priya at Wipro Bengaluru

Priya manages a 14-DC forest. She reads the advisory at 11 PM on 12 May, panics, and DMs her manager. The right next move is not "patch all 14 right now." It is "isolate the RPC endpoint mapper from untrusted segments, then patch in waves starting with internet-adjacent DCs." Order matters. Panic patching is how you break replication.

How CVE-2026-41089 is different from ZeroLogon (and why both still matter)

If you have done CISSP prep, you remember ZeroLogon (CVE-2020-1472). Both bugs end in "attacker owns the domain via Netlogon," but the root cause and the detection signal are very different. An interviewer will absolutely ask you to distinguish them.

SVG 3 — Side-by-side: the three big Netlogon CVEs

Same protocol, three different bug classes. CVE-2026-41089 is the most dangerous because, like ZeroLogon, it requires no authentication — but unlike ZeroLogon, the patch order also matters (more in the next section).

👨‍💻 Scenario — Karthik at Flipkart Bengaluru

Karthik did Zerologon remediation in 2020. He asks his lead: "is this just ZeroLogon again?" The honest answer is no — ZeroLogon was a crypto bug fixable by enforcing secure-channel signing. CVE-2026-41089 is a memory-corruption bug; the only fix is the binary patch. There is no "policy workaround" this time.

So far: Netlogon = AD's authentication chatbot, it runs as SYSTEM on every DC, and CVE-2026-41089 lets one unauthenticated packet hand SYSTEM to an attacker. Next we check whether your DCs are exposed.

Hands-on — is your DC vulnerable?

Three checks. Run them on each DC, in order. All commands run in an elevated PowerShell.

Check 1 — is the May 2026 patch installed?

PowerShell on the DC (elevated)

Get-HotFix -Id KB5058411, KB5058385 |
    Select-Object HotFixID, InstalledOn, InstalledBy

✓Expected output (patched DC)

HotFixID    InstalledOn   InstalledBy
--------    -----------   -----------
KB5058411   5/13/2026     NT AUTHORITY\SYSTEM
KB5058385   5/13/2026     NT AUTHORITY\SYSTEM

Empty output = the DC is unpatched. Move to step 2 immediately.

Check 2 — what build are we on?

PowerShell — confirm OS build is post-May-2026

Get-ComputerInfo -Property OsName, OsVersion, OsBuildNumber, OsHardwareAbstractionLayer
# Server 2022 fixed build: 20348.3517 or higher
# Server 2025 fixed build: 26100.3915 or higher

Check 3 — is Netlogon's RPC endpoint reachable from places it shouldn't be?

From a workstation that should NOT reach the DC's RPC endpoint

Test-NetConnection -ComputerName 10.42.50.10 -Port 135
# If TcpTestSucceeded = True from a user VLAN, your DC's RPC interface
# is exposed to every workstation. That is the attack surface.

Patch deployment — the order that does not break replication

Snapshot every DC (VM checkpoint or backup) before any reboot. If anything goes sideways with the secure channel, you want a rollback point.
Patch the PDC Emulator FSMO holder LAST, not first. The PDC Emulator is the time source and password-change authority — if it goes down mid-patch, every other DC's clock skews and Kerberos breaks.
Patch in this order: replica DCs in the largest site first → replica DCs in branch sites → finally the PDC Emulator. One DC at a time per site. Wait for replication to converge (repadmin /showrepl) between each.
After each DC reboots, verify the secure channel still works: Test-ComputerSecureChannel -Verbose on a member server in the same site. Expected: True.
Re-test reachability + Get-HotFix from step 1.

👨‍💻 Scenario — Rahul at TCS Bengaluru

Rahul runs Get-HotFix on his 14 DCs and finds 6 of them still on the April 2026 baseline because the WSUS rule was set to "auto-approve Important only." May's Netlogon patch was tagged Critical and skipped. Fix the WSUS classification first, then push. Lesson — WSUS rules drift, audit them every Patch Tuesday.

Detection — catching exploitation in Splunk + Microsoft Sentinel

Patching is half the job. Until every DC is patched (and even after), you want a detection that fires on the pre-exploit pattern: malformed MS-NRPC packets + unexpected Netlogon service crashes. Enable enhanced Netlogon logging first.

Enable Netlogon debug logging on the DC

nltest /dbflag:0x2080FFFF
# Logs to %WINDIR%\debug\netlogon.log
# Look for Event IDs 5805, 5827, 5828, 5829, 5830, 5831

Splunk SPL — burst of malformed NRPC from a single source

Splunk Enterprise Security

index=wineventlog source="WinEventLog:System"
    (EventCode=5805 OR EventCode=5827 OR EventCode=5828
     OR EventCode=5829 OR EventCode=5830 OR EventCode=5831)
| bin _time span=5m
| stats count by _time, host, src_ip
| where count > 10
| sort - count

Microsoft Sentinel KQL — Netlogon service crash followed by lsass access

Sentinel Analytics Rule (KQL)

let netlogonCrash = Event
    | where EventLog == "System"
    | where Source == "Service Control Manager"
    | where EventID == 7034
    | where RenderedDescription contains "Netlogon"
    | project crashTime = TimeGenerated, Computer;
let lsassRead = DeviceProcessEvents
    | where ProcessCommandLine has_any ("lsass", "comsvcs.dll", "MiniDump")
    | project readTime = TimeGenerated, Computer, AccountName, ProcessCommandLine;
netlogonCrash
| join kind=inner lsassRead on Computer
| where readTime between (crashTime .. (crashTime + 10m))
| project crashTime, Computer, AccountName, ProcessCommandLine

!Common mistakes

"We have a firewall, we're fine." — North-south firewalls do not stop east-west pivoting. The attacker only needs one compromised workstation on your LAN. Segmenting DCs into their own VLAN with strict ACLs to port 135 + RPC range is the real control.
Patching PDC Emulator first. — Breaks Kerberos for the duration of the reboot. Always last.
Disabling Netlogon as a "workaround." — Disables every authentication in the domain. Do not do this. There is no policy mitigation; only the patch.
Trusting Event 5805 alone. — It also fires on benign clock-skew issues. Correlate with a Netlogon service crash (Event 7034 from Service Control Manager) for high-fidelity detection.
Forgetting the read-only DCs (RODCs). — They also run Netlogon. They are also vulnerable. Audit your Get-ADDomainController -Filter * output, not just your "main" DCs.

★Pro tips

Add the May 2026 cumulative update KBs to your WSUS auto-approve rule for Critical + Security Updates so future Netlogon-class bugs land automatically on DCs at the next maintenance window.
Run Set-ADObject -Identity (Get-ADDomain).DistinguishedName -Replace @{"msDS-Behavior-Version"=7} to confirm the domain functional level is current — older levels sometimes block newer patches from applying cleanly.
For SOC: pre-write the Sentinel/Splunk rules above today even if you are patched. Detection-as-code beats panic-after-the-fact every time.

👨‍💻 Scenario — Aditya at HCL Lucknow

Aditya patches DC03 and sees Event ID 5719 ("This computer was not able to set up a secure session") flood the log for 6 minutes. Trainee instinct says rollback. Senior move: wait 10 minutes for the secure channel to rebuild, then run Test-ComputerSecureChannel -Repair from a member server. Patching transient errors are normal; permanent ones aren't.

📋 Quick reference — CVE-2026-41089 cheat sheet

Field	Value
CVE	CVE-2026-41089
CVSS v3.1	9.8 Critical (AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)
Bug class	Stack-based buffer overflow in MS-NRPC message handler
Auth required	None — pre-authentication RCE
Affected	Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, 2025 (DC role + RPC interface exposed)
Patches	KB5058411 (Server 2022), KB5058385 (Server 2025); equivalent KBs for older releases
Detection events	System log Event IDs 5805, 5827-5831; Service Control Manager Event 7034 (Netlogon crash)
Patch order	Replica DCs first → branch DCs → PDC Emulator LAST
No workaround	Only the binary patch fixes it. No policy/registry mitigation works.

Glossary

Active Directory (AD) — Microsoft's directory service that holds user accounts, computer accounts, and group policies for a Windows network.
Domain Controller (DC) — a server running AD Domain Services that authenticates users and computers in the domain.
Netlogon — the Windows RPC service that runs all authentication conversations between a workstation and its DC. Runs as SYSTEM inside lsass.exe.
MS-NRPC — Microsoft Netlogon Remote Protocol. The wire format Netlogon uses.
RPC — Remote Procedure Call. A way for one Windows machine to invoke a function on another.
NTDS.dit — the file on a DC that stores every domain user's password hash. The crown jewels.
krbtgt — the special account whose password signs every Kerberos ticket. Theft = Golden Ticket attack = unlimited persistence.
PDC Emulator — the FSMO role-holder DC that is the master time source and password-change authority for the domain.
RODC — Read-Only Domain Controller. Used in branch sites. Still runs Netlogon, still vulnerable.
CVSS — Common Vulnerability Scoring System. 9.0-10.0 = Critical.

Sources used in this lesson

What's next?

Now that you can defend a DC, learn how to attack one (ethically) — CISSP Domain 3 covers the offensive side of credential-store theft. Drill the practice MCQs on exam.techclick.in to lock the concepts.

All lessons → Practice on exam.techclick.in

CVE-2026-41089: How One Netlogon Packet Can Take Down Your Entire AD