Overview
The Centre for Cybersecurity Belgium (CCB) — Belgium's national cybersecurity authority — has issued an urgent warning that threat actors are actively exploiting a critical remote code execution vulnerability in the Windows Netlogon Remote Protocol (MS-NRPC). The flaw was patched in a recent Patch Tuesday release, but unpatched systems remain at high risk as attackers have begun targeting exposed domain controllers in the wild.
The Netlogon protocol is a fundamental Windows authentication mechanism used across enterprise environments for domain authentication. A flaw enabling unauthenticated RCE in this protocol represents one of the most severe possible attack surfaces in a Windows domain environment — successful exploitation can lead to complete Active Directory domain compromise.
The Vulnerability
What Is the Windows Netlogon Protocol?
The Windows Netlogon Remote Protocol (MS-NRPC) is used by Windows systems to authenticate users and machines in Active Directory environments. Domain Controllers run the Netlogon service to handle authentication requests from client machines throughout the domain. Because of its central role in Windows authentication, it has historically been a high-value target for attackers — the infamous Zerologon vulnerability (CVE-2020-1472) exploited the same protocol to devastating effect.
The Flaw
The vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on a targeted Windows Server hosting a domain controller role. By sending specially crafted Netlogon requests, attackers can bypass authentication requirements and gain SYSTEM-level privileges.
| Attribute | Details |
|---|---|
| Protocol | Windows Netlogon (MS-NRPC) |
| Attack Type | Remote Code Execution (RCE) |
| Authentication Required | None — pre-authentication attack |
| Severity | Critical |
| Primary Target | Domain Controllers |
| Patch Status | Available — apply immediately |
| Warning Source | CCB Belgium (National Authority) |
Active Exploitation Confirmed
The CCB confirmed on June 1, 2026 that exploitation is actively occurring in the wild. Belgium's national authority issued a formal security advisory urging all organizations to apply the available patch immediately.
This is particularly alarming because:
- Domain controllers are crown-jewel infrastructure — compromise leads to full domain takeover
- No credentials are required — any network-adjacent attacker can attempt exploitation
- Lateral movement is trivial after compromising a DC — all domain resources are exposed
- Ransomware deployment and data exfiltration become straightforward post-compromise
- Patch already exists — every unpatched system is an avoidable risk
Attack Chain
Remote Attacker
↓
Port 445 / Netlogon RPC (reachable DC)
↓
Unauthenticated Exploit Request (no credentials needed)
↓
SYSTEM Privileges on Domain Controller
↓
Full Active Directory Domain Compromise
↓
Lateral Movement / Ransomware / Data Theft / Backdoor
Scope and Impact
All Windows Server versions running a domain controller role that have not applied the most recent Patch Tuesday security updates are vulnerable.
Particularly at risk:
- Small and medium businesses without dedicated patch management processes
- Organizations with legacy Windows Server versions
- Environments where domain controllers are reachable from broader network segments or the internet
- Organizations with extended patch deployment cycles
Domain controllers are the highest-value target because compromising even one provides attackers with administrative access across the entire Windows domain — every user, computer, and service under that domain's authority becomes accessible.
Immediate Action Required
For System Administrators
- Apply the patch immediately — Navigate to Windows Update on all Windows Server systems and install all pending security updates
- Prioritize domain controllers — These are the primary targets; patch them within 24 hours of this advisory
- Restrict Netlogon access as interim mitigation — If patching is delayed, apply network segmentation to limit access to the Netlogon service from untrusted network segments
- Review for compromise indicators — Audit domain controller event logs for unusual authentication attempts, unexpected service installations, or anomalous privileged account activity
- Verify patch application — Confirm the update is applied across all domain controllers via your patch management system
Network-Level Mitigations
- Restrict port 445/TCP and Netlogon RPC ports at the perimeter firewall to trusted subnets only
- Enable Windows Firewall rules to block untrusted Netlogon traffic on domain controllers
- Deploy IDS/IPS signatures for this vulnerability if your security vendor has released them
Detection Guidance
Organizations should monitor for:
- Unusual Netlogon authentication events in Windows Security event logs (Event ID 4776, 4624 anomalies)
- Unexpected processes or services created on domain controllers
- Privilege escalation alerts from EDR solutions on DC endpoints
- Outbound network connections from domain controllers to unknown external IPs
Key Takeaways
- A critical Windows Netlogon RCE vulnerability is being actively exploited — patch all domain controllers immediately
- The attack requires no credentials — any attacker with network access to a domain controller can exploit unpatched systems
- Successful exploitation grants SYSTEM-level privileges on domain controllers, enabling full domain compromise
- The CCB (Belgium) issued a formal national-level warning as of June 1, 2026
- Microsoft has released a patch — apply it through Windows Update; there is no acceptable reason to remain unpatched on this critical vulnerability
Sources
- BleepingComputer — Critical Windows Netlogon Remote Code Execution Flaw Now Exploited in Attacks
- Centre for Cybersecurity Belgium (CCB) — National Security Advisory