domain controllers Archives

Winsage

June 1, 2026

Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild

Microsoft is facing scrutiny due to a critical remote execution vulnerability, CVE-2026-41089, rated at 9.8, affecting Windows Server domain controllers from version 2012 onward. This vulnerability allows unauthenticated users on the same network to send malformed UDP packets to a domain controller, potentially granting unauthorized system access or causing a reboot, leading to denial-of-service scenarios. The vulnerable service is Netlogon, and there are no immediate mitigations available; patches will be released on May 12. The vulnerability could allow attackers to create multiple accounts with various access levels, compromising the security of entire networks. Cybersecurity experts recommend patching all linked domain controllers simultaneously. The vulnerability is caused by a buffer overflow in the Netlogon service due to a field in a network packet exceeding its expected size. A GitHub repository exists with proof-of-concept code that can crash the LSASS service. Additionally, Microsoft is in conflict with security researcher Chaotic Eclipse, who has published zero-day exploits following a breakdown in negotiations.

Winsage

June 1, 2026

Critical Windows Netlogon RCE flaw now exploited in attacks

The Centre for Cybersecurity Belgium (CCB) has warned about the exploitation of a critical vulnerability in Windows Netlogon, identified as CVE-2026-41089, which allows remote code execution on domain controllers without prior access or authentication. This vulnerability, characterized as a stack-based buffer overflow, was patched by Microsoft during the May 2026 Patch Tuesday. The CCB emphasized the urgency of patching vulnerable servers, noting that the vulnerability is actively being exploited. The CVSS score for this vulnerability is 9.8. Further details on the ongoing attacks have not been disclosed, and Microsoft has not updated its advisory on the vulnerability.

Winsage

May 28, 2026

Windows Server 2016 Update: Disastrous Bug Breaks AD

Microsoft released a mandatory patch (KB5087537) for Windows Server 2016 to enhance cryptographic layers and address critical vulnerabilities. This update is essential for organizations using legacy workloads, as mainstream support ended in January 2022, but extended support continues until January 12, 2027. The patch aims to prepare systems for the expiration of Windows Secure Boot certificates in June 2026, which, if not updated, could compromise security and expose systems to malware. The update uses a phased deployment model and includes a new SecureBoot folder to assist IT professionals in managing certificate status. It also addresses various quality-of-life issues, including bugs affecting Remote Desktop Connection and authentication errors with Microsoft services. However, a significant issue arises when the host server name is exactly 15 characters long, causing failures in the domain controller discovery process and obstructing critical operations. This bug is linked to the historical 15-character limit of NetBIOS, which affects the Active Directory lookup mechanism. Microsoft has acknowledged the issue but has not provided a timeline for a fix, leaving administrators to either rename servers or uninstall the update. As the Secure Boot deadline approaches, IT departments must carefully assess their environments to avoid disruptions while ensuring security compliance.

Winsage

May 25, 2026

How I Changed the SID on My Windows Server Without Reinstalling (And Why You Should Care)

Cloning a Windows Server machine can lead to issues with duplicate Security Identifiers (SIDs). A Security Identifier (SID) is a unique string assigned to every machine, user, and group in Windows, functioning like a fingerprint. Duplicate SIDs can cause problems such as domain join failures, incorrect WSUS reporting, inconsistent Group Policy application, and licensing issues. The author initially attempted to use sysprep to change the SID after cloning, which resulted in stripping the domain join and causing SQL Server to fail. The author then discovered Wittytool Disk Clone, which includes a SID changer that successfully generated a new SID and updated all necessary references without disrupting the server's configuration or applications. The process took only six minutes and worked similarly on Windows Server 2019. It is more efficient to generate a new SID during the cloning process rather than afterward. Important precautions include taking a snapshot or backup before making changes and being aware that changing the SID on domain controllers is more complex. Reactivation of Windows may also be required after the SID change.

Winsage

May 5, 2026

April 2026 Windows Update Breaks Third-Party Backup Software by Blocking Vulnerable Driver

Microsoft will include the psmounterex.sys driver in its Vulnerable Driver Blocklist in the April 2026 security update, affecting third-party backup applications that use this driver for image mounting and Volume Shadow Copy Service (VSS) snapshots. This decision addresses CVE-2023-43896, a critical buffer overflow vulnerability. Affected software includes Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup on Windows 11, Windows 10, and Windows Server platforms. Users may face issues during image-mount operations, receiving error messages related to VSS timeouts and Code Integrity errors in the Event Viewer. To check if a system is affected, users can look for Event ID 3077 in the Code Integrity Operational log. Microsoft recommends upgrading to newer versions of backup applications that do not use blocked drivers and advises against uninstalling or delaying the April update. Additionally, the update may cause certain Windows Server 2025 devices to boot into BitLocker recovery mode and has led to out-of-band updates for Windows Server update failures and restart loops on domain controllers.

Winsage

April 21, 2026

Microsoft releases Windows Server update fix to fix its April update fixes

Microsoft has released an out-of-band update to fix a restart loop issue affecting certain Windows Server devices after the April 2026 update. The problem arose after installing the April 2026 Windows security update (KB5082063), causing domain controllers in multi-domain environments using Privileged Access Management (PAM) to experience LSASS crashes during startup, leading to repeated restarts and potential domain outages. The update targets Windows Server versions 2016 through 2025 and includes hotpatches for failed installations. Only Windows Servers were affected, while some enterprise devices may need to enter their BitLocker recovery key after the first restart post-installation. Microsoft has issued similar updates recently, raising concerns about the frequency of these occurrences.

Winsage

April 20, 2026

Emergency Update for Windows Server Following Reboot Issues

Microsoft has released emergency updates for various versions of Windows Server due to issues arising from the April 2026 Patch Tuesday security updates. A significant problem was a reboot loop affecting domain controllers caused by crashes of the Local Security Authority Subsystem Service (LSASS), which disrupted authentication services. This issue was especially problematic during the setup of new domain controllers. Additionally, some Windows Server 2025 systems encountered difficulties in installing the security update KB5082063. The out-of-band update (KB5091157) for Windows Server 2025 addresses both the installation failure and the domain controller restart issue. Other updates targeting the domain controller restart problem were released for additional supported Windows Server versions. Microsoft has introduced an out-of-band update for seven versions, including KB5091157 for Windows Server 2025 and KB5091571 for Windows Server, version 23H2. Furthermore, some Windows Server 2025 devices may boot into BitLocker recovery mode after the update, requiring users to enter a BitLocker recovery key.

Winsage

April 20, 2026

Microsoft releases emergency updates to fix Windows Server issues

Microsoft has confirmed that some administrators are experiencing difficulties installing the KB5082063 security update on Windows Server 2025. This month's Patch Tuesday updates have caused certain Windows servers, especially those with domain controller roles, to enter a restart loop due to failures in the Local Security Authority Subsystem Service (LSASS). Microsoft has released emergency out-of-band updates, including KB5091157 for Windows Server 2025, to address both the installation failure and the restart issues. Additionally, some Windows Server 2025 devices may boot into BitLocker recovery mode after installing the KB5082063 update. A bug affecting Windows Server 2019 and Windows Server 2022 that caused unexpected upgrades to Windows Server 2025 has also been resolved. Microsoft has issued various emergency updates throughout the year to address other issues, including a Bluetooth device visibility bug and vulnerabilities in the Routing and Remote Access Service (RRAS).

Winsage

April 18, 2026

Microsoft closes book on rogue Windows Server 2025 upgrades

Microsoft has officially resolved the incident involving the unexpected upgrade to Windows Server 2025, which occurred over a year ago and caused significant disruption for system administrators. The upgrade was automatic, with no rollback option, and was attributed to third-party products managing updates. Additionally, Microsoft's cumulative update KB5082063 has introduced new issues, causing LSASS crashes on non-Global Catalog domain controllers in environments using Privileged Access Management, leading to repeated restarts and potential inaccessibility of domains. Microsoft has acknowledged this problem and promised a resolution soon.

Winsage

April 17, 2026

Microsoft’s April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063 is affecting Windows Server 2016 through 2025

Microsoft has acknowledged that the April 2026 security update for Windows Server, patch KB5082063, has caused significant disruptions for some enterprise domain controllers, leading to continuous reboot cycles in non-Global Catalog domain controllers used in Privileged Access Management (PAM) deployments. This has resulted in the unavailability of Active Directory authentication and directory services on affected servers. Additionally, the installation of KB5082063 may fail on some Windows Server 2025 systems. This issue marks the third consecutive year that April security updates have caused problems for Windows Server domain controllers. In previous years, Microsoft issued emergency fixes for similar issues, including crashes and complications with NTLM authentication. Administrators currently have limited options, including delaying the update, isolating a test domain controller, or engaging with Microsoft Support for tailored mitigation steps.