CRITICAL: Microsoft Patch Tuesday Drops Unauthenticated Netlogon and DNS RCE Bugs Rated 9.8

Pour one out for any sysadmin who hoped May would be a quiet month. Microsoft dropped 138 fixes on Patch Tuesday this week, and tucked inside the usual pile of privilege escalations and Edge updates are two unauthenticated remote code execution flaws that read like a greatest hits compilation of 2020. One lives in Windows DNS Client. The other lives in Netlogon, on every domain controller you operate. Both score a CVSS of 9.8. Neither requires a user to click anything. If your environment runs Active Directory, you have a long night ahead of you.

The headliner is CVE-2026-41089, a stack and integer overflow in the Netlogon Remote Protocol that allows an unauthenticated attacker on the network to execute code as SYSTEM on a domain controller. Microsoft's advisory rates exploitation as "less likely," which is the kind of confidence that ages poorly the moment a working proof of concept hits Twitter. The vulnerability triggers during the authentication handshake when the service mishandles a caller-supplied length value, corrupting the heap and handing control of execution to whatever payload the attacker dropped in. Affected versions cover the entire current server lineup, from Windows Server 2016 through Server 2025, with KB5037777 through KB5037780 representing the matching cumulative updates. The attack surface is whatever port your domain controllers expose for RPC and SMB, which is to say port 135 and port 445, which is to say every domain controller in the building.

Comparisons to Zerologon are inevitable and mostly fair, although the two vulnerabilities operate through different mechanisms. The 2020 Netlogon bug, CVE-2020-1472, exploited a cryptographic weakness that let attackers reset a domain controller's machine account password to all zeroes. CVE-2026-41089 is a more conventional memory corruption flaw, but the outcome is similar and arguably worse. Zerologon required the attacker to follow up with credential theft to actually do damage. The new bug delivers code execution as SYSTEM in the same shot, in under three seconds according to early analysis, meaning a single packet can hand an attacker a domain controller before EDR has finished updating its definitions. That is not a hypothetical concern. The last time a remotely exploitable bug landed in Netlogon, every red team in the country dropped what they were doing to weaponize it, and the corresponding blue team scramble made Q4 2020 a memorable quarter for the wrong reasons.

The second critical RCE is CVE-2026-41096, a heap buffer overflow in the Windows DNS Client. The attack vector is a malicious DNS response, which the client mishandles in a way that corrupts memory and permits remote code execution. The catch, and it is a meaningful one, is that the DNS Client runs as NetworkService rather than SYSTEM, so initial code execution lands in a less privileged context. Microsoft is selling that as a mitigation. The honest reading is that it just adds one extra step to a kill chain that still ends with a compromised host, because privilege escalation primitives have been a renewable resource in Windows for the better part of two decades. The vulnerability also benefits from modern exploit mitigations like heap address randomization, and the optional encrypted DNS configurations Microsoft has been quietly pushing will make weaponization harder. Neither of those things changes the fact that this is a clientside flaw in a service that talks to every name server on the internet, and the population of vulnerable hosts is, conservatively, almost all of them.

Beyond the DNS and Netlogon pair, the May release contains a quartet of cloud and platform vulnerabilities that deserve their own paragraph because the CVSS scores are silly. CVE-2026-42826 is an information disclosure flaw in Azure DevOps rated a perfect 10.0. CVE-2026-33109 is an improper access control issue in Azure Cassandra at 9.9. CVE-2026-42898 is a code injection bug in Dynamics 365, also 9.9. CVE-2026-42823 is a privilege escalation flaw in Azure Logic Apps that rounds out the set at 9.9. Microsoft has already patched the cloud side components for all four, so customers do not need to take action on those, but anyone who maintains hybrid integrations or runs the on-premises Dynamics agent should verify their automatic update channels have actually applied the relevant fixes. Cloud-side patching does not always reach into customer-side tooling, and "Microsoft handled it" is not a defensible answer during an incident response engagement.

Stepping back from the individual bugs, the totals tell their own story. The release contained 30 critical vulnerabilities, 104 important, three moderate, and one low. There were 61 elevation of privilege bugs and 32 remote code execution flaws. Microsoft credits 16 of the fixes to its new internal AI vulnerability discovery system, which the company has dubbed MDASH. That is either a fascinating glimpse into how vendor security research is changing or a marketing line dressed up as a stat, depending on how cynical you feel today. Either way, the supplementary Chromium update added another 127 vulnerabilities under the Edge banner, so anyone deploying browsers as a managed application has more work than just the OS patches.

There is also a deadline lurking inside this advisory that has nothing to do with the May CVEs but everything to do with operational risk. June 26, 2026 is the last date on which Windows will accept the 2011 issued Secure Boot certificates that ship in the firmware of older hardware. Devices that have not been migrated to the 2023 certificate set will start failing boot-level signature verification after that date, which means failed updates at best and unbootable systems at worst. Microsoft has been telegraphing this for months, but plenty of shops are still running fleets that have not received the relevant rollout. Anyone responsible for endpoint management should be auditing their certificate state right now, not in mid-June.

Exploitation in the wild has not been observed as of this writing. Microsoft assessed none of the May CVEs as publicly known at release, and the usual exploit broker channels have been quiet. That is the easy part of the news cycle, when everyone agrees patching is important and no one feels acute pressure to do it. The hard part is the next ten days, when proof of concept code for the Netlogon bug will inevitably appear on a security researcher's blog, and the gap between that publication and the first opportunistic scan is going to be measured in hours rather than days. Domain controllers are the natural target. They are the highest-value assets in most environments, they tend to run on a slower patch cadence than workstations because change windows are precious, and they are exposed to the entire internal network by design. If you patch nothing else this week, patch them.

Detection guidance from the early community analysis points at Event ID 5805 for malformed Netlogon authentication failures, which is the closest indicator of compromise signal available short of full packet capture on the domain controller's RPC traffic. Network detection rules for anomalous MS-NRPC traffic patterns are starting to land in Suricata and Zeek repositories, and any SOC running Snort should pull the latest Talos ruleset because Cisco published coverage alongside the advisory. For the DNS Client bug, detection is harder because the malicious traffic looks like a normal DNS response from the client's perspective, so the practical mitigation is upstream filtering through a controlled resolver rather than waiting to catch the exploit at the host. Anyone running protective DNS through a vendor like Cisco Umbrella, Cloudflare Gateway, or Quad9 already has a layer of insulation, and clients pointed at uncontrolled public resolvers are the population most at risk.

For the MSP business angle, this is one of those release cycles that practically writes its own quarterly business review slide. Any client running on-premises Active Directory just inherited an urgent patching obligation with a tight window, and the conversation about Tier 0 asset segmentation, just in time admin tooling, and managed identity protection has never been easier to open. The Secure Boot certificate deadline is its own discrete project, and clients with mixed hardware fleets are going to need help auditing certificate state across the estate. Both are billable engagements with hard deadlines, which is the rarest and most useful combination in the security consulting business.