Windows Netlogon Is Being Actively Exploited Right Now. Is Your Server Patched?
Two critical vulnerabilities are in active or near-active exploitation right now. One of them requires no credentials, no user interaction, and affects a component present on virtually every Windows Server environment running a domain. The other hands attackers full control of an ecommerce platform with a single unauthenticated request.
Neither of these is theoretical. Both have patches available. The question is whether yours have been applied.
CVE-2026-41089: The Windows Netlogon Flaw Being Exploited Right Now
On 12 May 2026, Microsoft released a patch for CVE-2026-41089, a critical remote code execution vulnerability in the Windows Netlogon component. Netlogon handles authentication between machines on a Windows domain. It is present on every Windows Server domain controller.
The attack vector is blunt. An attacker sends a specially crafted network request. No credentials required. No user interaction required. If the server is reachable and unpatched, the attacker executes arbitrary code on the domain controller.
ZDI researcher Dustin Childs was direct when this vulnerability was disclosed: “A compromised domain controller is a compromised domain.” That is not hyperbole. Domain controllers hold every user account, every group policy, every authentication token in your Windows environment. Compromise one and you have compromised everything it manages.
As of 1 June 2026, the Belgian government’s cybersecurity authority confirmed active exploitation in the wild. That means real attackers, right now, are scanning for and attacking unpatched servers. Three weeks have elapsed since the patch was available.
For UK small businesses running Windows Server with a domain, this is the single highest-priority patching task in your environment today.
What ‘Domain Controller Compromise’ Actually Means for Your Business
A lot of security briefings use phrases like ‘remote code execution’ and ‘domain compromise’ without translating them into business terms. Let me do that.
If an attacker gains remote code execution on your domain controller, they can: create new administrator accounts silently, extract every password hash in your Active Directory, deploy ransomware across every machine in your domain simultaneously, and exfiltrate data from any connected file server or workstation.
This is not a ‘we need to monitor the situation’ scenario. This is a ‘the building is on fire and we need to check the sprinklers worked’ scenario.
The patch exists. It has existed for three weeks. The only question is whether your IT support applied it.
CVE-2026-45247: Magento Cache Plugin Remote Code Execution With Zero Authentication
The second story today is specifically relevant to any UK small business running an ecommerce site on Magento, a widely used open-source platform popular with independent retailers.
A critical vulnerability has been disclosed in a widely used Magento caching plugin. The flaw allows an attacker to execute arbitrary code on the server with no login, no configuration changes, and no admin access required. The attack requires only that the plugin is installed and the site is reachable.
Magento stores are a consistent target for criminal groups because the payoff is direct: customer payment data, personal data, and in some cases stored card details. A successful exploitation of this flaw gives an attacker full server access, meaning they can install skimmers, exfiltrate databases, or deploy ransomware.
If your business runs Magento, two actions matter right now: identify which caching plugin you are using, and check whether an update is available. Your web developer or hosting provider should be able to confirm this within the hour.
Why Patching Is a Business Decision, Not an IT Task
The consistent pattern across both of these vulnerabilities is the same pattern that appears in almost every significant breach affecting small businesses: a patch was available, and it was not applied.
The reasons are usually mundane. The IT support contract doesn’t include proactive patching. The MSP applies patches on a quarterly schedule. The business owner assumed someone else was handling it. The server ‘seemed fine’ so nobody checked.
None of those reasons hold up when the domain controller is encrypted and the customer database is on a criminal forum.
Patching is not an optional extra. It is the single most effective control you can apply to reduce your risk of a significant breach. The NCSC’s own guidance places patch management as a core requirement under Cyber Essentials, the baseline certification for UK businesses. The reason it’s in there is because unpatched systems are the most common initial access vector in ransomware incidents affecting small businesses.
How to Turn This Into a Competitive Advantage
Businesses that maintain a demonstrable patching discipline have a concrete differentiator in procurement conversations. An increasing number of larger clients and public sector buyers require evidence of patch management as part of supplier due diligence.
Being able to show a patch log, a defined patching schedule, and Cyber Essentials certification signals something specific to a prospective client: that your business takes the security of shared data seriously, and that you have processes in place to maintain it.
The businesses that cannot show this are increasingly being excluded from tender processes. The ones that can are winning contracts that their less-prepared competitors are losing.
Making the Business Case to Your Board
If you need to push for investment in patch management or a better MSP contract, these are the arguments that land:
The threat is confirmed and active. CVE-2026-41089 is not a theoretical risk. Belgian government authorities confirmed active exploitation on 1 June 2026. This is happening to businesses like yours right now.
The cost of patching is trivial compared to the cost of recovery. A ransomware incident affecting a small business typically costs between £10,000 and £100,000 when you account for downtime, recovery, regulatory notification, and reputational damage. A patching review costs an afternoon of IT support time.
Cyber Essentials requires it. If your business holds or processes client data, Cyber Essentials certification is increasingly expected by clients and insurers. Patch management is a core requirement. Being unpatched is a certification failure and a liability.
What to Do Before the End of the Day
-
Ask your IT support or MSP to confirm CVE-2026-41089 is patched on all Windows Server instances. Request written confirmation and the date it was applied. If they cannot provide this within 24 hours, that tells you something important about your support arrangement.
-
Check whether your domain controllers are internet-accessible. They should not be reachable directly from the public internet. If they are, that is a separate, urgent problem that needs fixing regardless of this specific vulnerability.
-
If you run a Magento ecommerce site, contact your web developer or hosting provider today. Ask them to identify the caching plugin in use, confirm whether it is affected by CVE-2026-45247, and apply any available update.
-
Review your MSP contract for patching commitments. If your contract does not specify patching frequency and scope, you do not have a patching commitment. You have a hope. The NCSC recommends critical patches be applied within 14 days of release. Check whether your contract reflects that standard.
-
Check your cyber insurance policy. Many policies now require evidence of a patch management process. An unpatched system at the time of a breach can void a claim. Read the conditions before you need to rely on them.