Critical Windows Netlogon Flaw Actively Exploited in Attacks

The Centre for Cybersecurity Belgium (CCB) has warned that attackers are now actively exploiting a critical Windows Netlogon remote code execution (RCE) flaw. The vulnerability, which was recently patched by Microsoft, allows unauthenticated attackers to compromise domain controllers over the network.

This flaw carries a CVSS score of 9.8, placing it in the critical severity range. The CCB's alert on Friday indicates that exploitation is already underway, though the full scope of affected systems remains unclear. Security experts urge organizations to prioritize patching, as Netlogon is a core authentication protocol used across Windows domains.

Technical details reveal the attack vector involves a spoofed authentication request to a domain controller. By exploiting a flaw in the Netlogon Remote Protocol (NRPC), an attacker can bypass security features and gain elevated access. Indicators of compromise include unusual Netlogon traffic and authentication logs showing failed validation attempts.

Microsoft has released a patch as part of its regular update cycle, and no workaround is currently available beyond applying the fix. Organizations that have not yet deployed the update should treat this as an emergency, given the protocol's widespread use in enterprise networks.

The CCB has not attributed the attacks to a specific threat actor, but the active exploitation underscores the persistent risk of delayed patching, particularly for critical infrastructure. This incident mirrors previous campaigns targeting authentication flaws in Netlogon, which have been leveraged in ransomware and espionage operations.