Windows domain controllers under active attack, is yours patched?

If your business runs Windows Server with a domain, common in law firms, accountancy practices, and any firm with a shared network of computers, there’s something you need to check this week. Attackers are actively exploiting a critical flaw in Windows domain controllers, and the fix has been available for three weeks.

The flaw is CVE-2026-41089, sitting in Netlogon, the Windows service that handles logins across your entire network. Belgium’s national cybersecurity authority confirmed active exploitation on 1 June 2026. Microsoft released the patch on 12 May. Real attackers are scanning for unpatched servers right now.

What a compromised domain controller actually means

This isn’t a background risk to keep an eye on. A domain controller is the master key to your entire Windows network. If it gets compromised, attackers can:

• Create hidden administrator accounts no one knows about
• Pull every password from your system
• Push ransomware to every machine at once
• Reach every file server and shared folder on the network For a 30-person firm in Mold or Ruthin, that’s the difference between a normal Tuesday and a multi-week recovery nightmare. Ransomware recovery for a business of that size typically runs into tens of thousands of pounds once you factor in downtime, restoration work, and notifications.

The patch exists, the question is whether it was applied

Microsoft released the fix on 12 May 2026. It’s been sitting there for three weeks. The gap between a patch being released and it actually landing on your servers is exactly where attackers operate. The NCSC is consistent on this: most successful breaches exploit vulnerabilities that already had a fix available.

Some IT support contracts include regular patching; some don’t, or patch only on a loose schedule. If you’re not sure which applies to you, that uncertainty is worth resolving.

Cyber Essentials and insurance implications

Cyber Essentials, the government-backed certification that many contracts and insurers now ask for, requires critical patches to be applied within 14 days of release. CVE-2026-41089 has a severity score of 9.8 out of 10. If it’s been three weeks and your server hasn’t been updated, you’re outside that window.

That matters beyond certification. A growing number of cyber-insurance policies include clauses that allow insurers to reject claims if a breach happened on an unpatched system where a fix was available. Being unpatched isn’t just a security gap, it’s a contractual one.

For more on how patching ties into Cyber Essentials, our article on patch management and compliance covers the same principle across other recent critical flaws.

What to do today

Ask whoever manages your servers for written confirmation that CVE-2026-41089 has been patched on all Windows Server instances, including the date it was applied. If they can’t confirm that within 24 hours, that tells you something useful about how your systems are being looked after.

Also check your IT support contract. If it doesn’t specify patching timelines, particularly for critical patches, you don’t have a patching commitment. You have a hope.

One afternoon of checking is trivial compared to what an unpatched server can cost. Dragon Digital handles patch audits and ongoing patch management for businesses across North Wales, if you’re not certain your domain controllers are covered, it’s worth a quick conversation to find out.