Cyber Threat Brief — June 1 2026
⚠️ This report is AI-generated. Always validate findings.
1. Windows Netlogon 0-Click RCE on Domain Controllers — CVE-2026-41089
TL;DR: Stack-based buffer overflow in Windows Netlogon DC locator ping handler allows unauthenticated remote SYSTEM-level RCE on domain controllers via a single crafted CLDAP packet to UDP/389. Actively exploited ITW after premature leak on Chinese-language forum forced early disclosure.
What’s New:
- CVSS 9.8 stack overflow in
BuildSamLogonResponse—NetpLogonPutUnicodeStringcopies attacker-supplied strings into fixed-size stack buffer without bounds checking - Exploitation confirmed ITW; Chinese-language forum leak forced Microsoft to accelerate disclosure ahead of planned June Patch Tuesday
- Single CLDAP packet to UDP/389 crashes lsass.exe → DC reboot, or achieves code execution as SYSTEM
- Patched May 13 (KB5050009 era updates); 0patch released micropatches for EOL Server 2012/2012 R2
- No CISA KEV listing yet, but active exploitation confirmed by multiple sources
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
CLDAP to UDP/389 with oversized User attribute | Exploit traffic | T1210 | IDS/Suricata | Alert |
CLDAP with NtVer=2 (non-EX path) + large User | Exploit traffic | T1210 | IDS/Suricata | Alert |
| lsass.exe crash (Event ID 1000) on DC | Post-exploit | T1210 | Windows Event Log | Hunt |
| lsass.exe spawning cmd.exe/powershell.exe | Post-exploit | T1059 | Sysmon EID 1 | Hunt |
| Outbound connections from lsass.exe to non-domain hosts | Post-exploit | T1071 | Sysmon EID 3 | Hunt |
| Netlogon service restart (Event ID 7031/7036) | Exploit indicator | T1210 | System Event Log | Alert |
| Anomalous admin account creation post-Netlogon event | Post-exploit | T1136.001 | Security EID 4720 | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need CLDAP oversized attribute detection; lsass.exe suspicious child process rule exists but not tuned for Netlogon exploitation path |
| Elastic | None specific | Suspicious LSASS child process rule (partial); no CLDAP protocol inspection |
| Sigma | None specific | Need proc_creation_win_lsass_susp_child.yml tuning for Netlogon context; Suricata rules available for network layer |
Sources: CybersecurityNews · Aretiq AI Research · Fyntralink · Action1
Status Updates
- CVE-2026-0257 (PAN-OS GlobalProtect): CISA KEV deadline TODAY June 1. Rapid7 confirmed two exploitation waves (May 17 Vultr, May 21 Dromatics Systems) using forged override cookies targeting local admin with spoofed MAC
aa:bb:cc:dd:ee:ff. Wave 2 achieved full VPN IP assignment to internal networks. Patch to PAN-OS 10.2.10/11.0.5/11.1.3 or disable auth override cookies immediately. Original brief. - CVE-2026-41091/CVE-2026-45498 (Defender RedSun/UnDefend): CISA KEV deadline June 3 (2 days). Verify Malware Protection Engine ≥ 1.1.26040.8 and Platform ≥ 4.18.26040.7 across all Windows endpoints. Original brief.
- CVE-2026-42945 (NGINX Rift): Exploited ITW since May 16. Chains with Copy Fail/Dirty Frag for internet-to-root on Linux. Patch to nginx 1.30.1/1.31.0. 5.7M exposed instances. Original brief.