Critical Windows Netlogon RCE Is Now Being Actively Exploited
Belgium's Centre for Cybersecurity (CCB) issued an emergency warning Friday: threat actors are actively exploiting a recently patched critical remote code execution vulnerability in Windows Netlogon. This has moved from "schedule the patch" to "drop everything" territory.
What Happened
Netlogon — the Windows service that handles authentication between domain-joined clients and domain controllers — contains a critical RCE flaw patched by Microsoft in a recent Patch Tuesday cycle. The CCB confirmed Friday that exploitation is no longer theoretical: attackers are hitting unpatched systems in the wild right now.
Why This Matters
Netlogon sits at the center of every Windows Active Directory environment. It is the protocol domain controllers use to establish secure channels with workstations and member servers. An RCE here means anyone who can reach a DC's Netlogon interface — typically any machine on the LAN, or anything that has already pivoted inside the perimeter — can potentially execute arbitrary code on the domain controller itself.
DC compromise is organizational game over. From a domain controller an attacker can DCSync every credential in the forest, create persistent backdoor accounts, push malware to every domain-joined machine via Group Policy, and move laterally without friction. Ransomware operators target this exact vector. The CCB warning means opportunistic actors are already scanning for unpatched systems — your window between "unpatched" and "compromised" is shrinking by the hour.
What to Do
1. Patch DCs first, right now. Apply Microsoft's security update to all domain controllers before anything else. Check Windows Update or your patch management console; if it has not been deployed, that is your only task until it is.
2. Confirm installation on each DC manually. Do not assume automation ran successfully. On each domain controller run:
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
Cross-reference the KB number from the CCB advisory to confirm the right update is present.
3. Hunt for indicators of compromise. Review Windows Security event logs on DCs for anomalous Netlogon activity, unexpected privileged account creation, and lateral movement signals. Event IDs 4769 (Kerberos TGS requests from unusual sources), 4672 (special privileges assigned at logon), and 4625 (failed logons) are the first places to look.
4. Reduce Netlogon exposure at the firewall. If domain controllers are reachable from network segments that have no legitimate need to talk to them — guest Wi-Fi, DMZs, cloud egress IPs — block TCP/UDP 445 and TCP 135/49152+ from those segments to your DCs. This does not substitute for patching but it cuts attack surface while you work.
5. Then patch member servers and workstations. The DC is the crown jewel, but the flaw likely affects the broader Netlogon stack. After DCs are confirmed patched, roll the update to the rest of the fleet on an accelerated schedule — not next month's window.
Treat this as P0. Active exploitation means the threat is not hypothetical.
Synthesized by Claude · sanity-checked before publish.