Belgium’s national cybersecurity authority (The Centre for Cybersecurity Belgium, CCB) has warned that cybercriminals are actively exploiting a recently patched Windows Netlogon vulnerability.
The flaw, tracked as CVE-2026-41089, was fixed by Microsoft during its May 2026 Patch Tuesday release. It affects all supported versions of Windows Server, including Windows Server 2025.
The vulnerability is a stack-based buffer overflow in the Windows Netlogon service that could allow attackers to execute code remotely on vulnerable domain controllers without needing prior privileges. Following reports of active exploitation, the CCB urged organizations to immediately install the available security updates to protect their systems.
Microsoft has not yet updated its security advisory to indicate the flaw is being actively exploited.
In a separate campaign, a threat actor was observed using a large language model (LLM)-powered agent to automate post-compromise activities after exploiting a vulnerable, internet-exposed Marimo notebook. The attack began with the exploitation of the recently disclosed Marimo vulnerability (CVE-2026-39987) to gain initial access to the target system.
The attacker then extracted two cloud credentials from the compromised host and used them to access AWS Secrets Manager, retrieving an SSH private key. To avoid detection, the credentials were replayed through a distributed egress infrastructure. The stolen key was then used to establish eight brief SSH connections to a downstream bastion server.