What is CVE-2026-41089 and why is it critical?

CVE-2026-41089 is a remote code execution vulnerability in the Windows Netlogon service. It allows unauthenticated attackers to execute code on domain controllers via crafted Netlogon requests — a direct path to full Active Directory domain compromise. Belgium's CCB confirmed active exploitation on May 30.

Is Oracle WebLogic CVE-2024-21182 being exploited?

Yes. CVE-2024-21182, an unauthenticated RCE in Oracle WebLogic Server patched in late 2024, is now under active exploitation. Organizations that deferred the Oracle CPU patch are exposed — especially those with internet-facing WebLogic instances.

What is the Miasma npm supply chain attack?

Miasma is a supply chain attack that compromised 32 npm packages under the @redhat-cloud-services namespace, publishing 96 malicious versions containing credential-stealing code. The payload executes during package installation, targeting developer workstations and CI/CD pipelines.

What is Operation FlutterBridge?

Operation FlutterBridge is a macOS malvertising campaign documented by Palo Alto Unit 42. It distributes the FlutterShell backdoor — built with the Flutter framework — via fake search engine ads for productivity software. The Flutter compilation model evades traditional signature-based macOS detection.

How should defenders prioritize patching for CVE-2026-41089?

Domain controllers should be patched first — they are the highest-value targets and the Netlogon service is core to AD authentication. While patching, restrict Netlogon RPC traffic to authorized hosts only and monitor for anomalous authentication patterns on DCs.

Windows Netlogon RCE CVE-2026-41089 Exploited

A critical Windows Netlogon RCE is now being exploited in the wild, a two-year-old Oracle WebLogic flaw has moved from “deferred patch” to “active campaign target,” and 32 npm packages under a Red Hat namespace were poisoned with credential-stealing code. Monday morning starts with domain controllers, middleware servers, and developer workstations all demanding attention.

In the News

Windows Netlogon RCE CVE-2026-41089 Exploited in the Wild

Belgium’s Centre for Cybersecurity (CCB) issued an alert on Friday confirming active exploitation of CVE-2026-41089, a critical remote code execution vulnerability in the Windows Netlogon Remote Protocol (MS-NRPC). The flaw allows an unauthenticated attacker to execute arbitrary code on domain controllers by sending crafted Netlogon requests over the network.

The attack surface here is significant. Netlogon is fundamental to Active Directory authentication and domain trust — every domain controller runs it, and in many environments, the service is reachable from user VLANs or even flat networks with no segmentation between endpoints and management-plane infrastructure. A successful exploit does not compromise a single host; it compromises the identity authority for the entire domain.

This is the same protocol class that gave us Zerologon (CVE-2020-1472) in 2020. The operational pattern is familiar: Netlogon flaw disclosed, patch released, exploitation begins before most organizations complete their domain controller patch cycle. The difference this time is that post-Zerologon hardening — particularly the enforcement of secure RPC for Netlogon — should limit exposure for organizations that completed that rollout. Those that did not are doubly exposed.

What defenders should do: Patch domain controllers immediately. As a compensating control, restrict inbound Netlogon RPC traffic (TCP/UDP 135, 445, and dynamic RPC ranges) to authorized hosts using firewall rules or network segmentation policies. Monitor domain controller event logs for anomalous Netlogon authentication events — Event IDs 5805, 5723, and 5722 are high-fidelity indicators of Netlogon connection failures that may signal exploitation attempts.

Oracle WebLogic CVE-2024-21182 Under Active Exploitation

CVE-2024-21182, an unauthenticated remote code execution vulnerability in Oracle WebLogic Server, is now being actively exploited. Oracle patched this flaw in a Critical Patch Update (CPU) in late 2024, but the gap between patch availability and patch application is where attackers operate — and this CVE has been sitting in that gap for roughly 18 months.

The vulnerability is reachable over the T3 and IIOP protocols without authentication, making any internet-facing WebLogic instance a target. WebLogic remains widely deployed in enterprise environments for Java EE applications, particularly in financial services, healthcare, and government verticals where legacy middleware persists. The exploitation vector — deserialization of untrusted data — is a well-understood attack class for WebLogic, with multiple prior CVEs following the same pattern.

What defenders should do: Apply the Oracle CPU patch. If patching is delayed, disable T3 and IIOP protocol access from untrusted networks at the network layer. Run an exposure scan for internet-facing WebLogic instances — many organizations lose track of these as application ownership shifts between teams.

32 Red Hat npm Packages Compromised in Miasma Supply Chain Attack

A supply chain attack dubbed “Miasma” compromised 32 packages under the @redhat-cloud-services npm namespace, publishing 96 malicious versions that inject credential-harvesting code during installation. The payload targets developer workstations and CI/CD pipeline environments, stealing credentials, tokens, and environment variables that often include production access keys.

The attack follows the established supply chain compromise playbook: gain access to a trusted publisher account, publish versions with minimal code changes that execute during npm install lifecycle hooks, and harvest credentials before anyone notices. The @redhat-cloud-services scope adds credibility — developers pulling from a namespace associated with Red Hat have little reason to suspect the packages. Red Hat has confirmed the compromise, revoked the affected versions, and is investigating the account takeover that enabled publication.

The blast radius depends on how many downstream projects pinned to version ranges rather than exact versions. Any CI/CD pipeline running npm install or npm ci with a range specifier (e.g., ^1.2.0) would have pulled the malicious version automatically. Stolen credentials from these environments can escalate to production — a compromised CI service account often has deployment permissions.

What defenders should do: Audit package-lock.json and npm-shrinkwrap.json files for any @redhat-cloud-services packages. Run npm audit against current lockfiles. Rotate any credentials or tokens that were present as environment variables in build pipelines that installed affected packages. Enforce dependency pinning and software composition analysis in CI/CD workflows.

FlutterShell macOS Backdoor Distributed via Malvertising

Palo Alto Unit 42 documented Operation FlutterBridge, a malvertising campaign targeting macOS users with a novel backdoor built using the Flutter framework. Attackers purchase search engine ads for popular productivity applications, redirecting users to convincing download pages that deliver the FlutterShell backdoor alongside a functional application.

The use of Flutter is tactically significant. Flutter compiles to native ARM64 binaries with its own rendering engine and Dart runtime, producing a binary structure that differs substantially from standard Mach-O executables. Static analysis signatures built for conventional macOS malware miss FlutterShell entirely. The backdoor provides persistent remote access, command execution, and file exfiltration — standard RAT capabilities delivered through an unconventional compilation pipeline.

What defenders should do: Ensure macOS endpoints are covered by behavioral endpoint detection — not just signature-based scanning. Block known malvertising redirect domains at the DNS layer. Review BYOD policies for macOS devices that may lack organizational endpoint detection coverage entirely.

Defender Action Items

Patch domain controllers for CVE-2026-41089 immediately; restrict Netlogon RPC to authorized hosts as a compensating control
Patch or restrict Oracle WebLogic instances — disable T3/IIOP from untrusted networks if the Oracle CPU cannot be applied this week
Audit npm lockfiles for @redhat-cloud-services packages; rotate CI/CD credentials exposed to affected build environments
Verify macOS endpoint detection coverage uses behavioral analysis, not just signatures; block malvertising redirects at DNS
Update WP Maps Pro WordPress plugin or remove entirely; audit admin accounts for unauthorized additions (CVE-2026-8732)

Detection Spotlight

Windows domain controller defenders should monitor for anomalous Netlogon authentication patterns that may indicate CVE-2026-41089 exploitation attempts. The following Splunk SPL query identifies Netlogon secure channel failures and connection anomalies on domain controllers — Event IDs 5805 and 5723 are high-fidelity indicators of Netlogon issues, and a sudden spike from a single source is worth investigating immediately.

index=wineventlog sourcetype="WinEventLog:System" (EventCode=5805 OR EventCode=5723 OR EventCode=5722)
| stats count by src_ip, EventCode, ComputerName
| where count > 5
| sort - count
| table src_ip, EventCode, ComputerName, count

This query surfaces source IPs generating repeated Netlogon failures against domain controllers. A low false positive rate is expected in healthy environments — legitimate Netlogon secure channel issues are rare outside of misconfigured trusts or machine account password mismatches. Any source IP generating more than a handful of these events in a short window warrants immediate investigation.

For environments using Microsoft Sentinel (KQL):

Event
| where EventLog == "System" and (EventID == 5805 or EventID == 5723 or EventID == 5722)
| summarize HitCount = count() by SourceIP = tostring(extract("from (\\S+)", 1, RenderedDescription)), Computer, EventID
| where HitCount > 5
| order by HitCount desc

References

Critical Windows Netlogon RCE flaw now exploited in attacks — BleepingComputer
Oracle WebLogic vulnerability exploited in the wild — SecurityWeek
Red Hat npm packages compromised to steal developer credentials — BleepingComputer
Operation FlutterBridge: New FlutterShell backdoor — Palo Alto Unit 42
Dragos acquires xIoT security firm Phosphorus — SecurityWeek
NSA selects new leads for cyber posts — The Record
Dashlane discloses brute-force attack — The Hacker News
WP Maps Pro vulnerability exploited to take over WordPress sites — SecurityWeek
Dutch police dismantle massive 17-million-device botnet — SecurityWeek

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.