Share
## https://sploitus.com/exploit?id=8A498307-0EFC-5390-A979-A85CF2BE1F27
# CVE-2026-41089 Detector

Safe detection script for **CVE-2026-41089**, the Microsoft Windows Netlogon remote code execution vulnerability disclosed in the May 2026 security update.

This tool does not send exploit traffic. It checks Windows Server build numbers, matching Microsoft KBs, and whether the system appears to be a domain controller.

## Usage

Local Windows host:

```powershell
python .\cve_2026_41089_check.py
```

Remote Windows host over CIM/WMI:

```powershell
python .\cve_2026_41089_check.py --target dc01.example.com --format json
```

Evaluate offline facts:

```powershell
python .\cve_2026_41089_check.py --input-json .\sample_facts.json --format csv
```

Refresh remediation data from MSRC:

```powershell
python .\cve_2026_41089_check.py --update-msrc
```

Exit codes:

- `0`: no vulnerable host found
- `1`: runtime or query error
- `2`: at least one host appears vulnerable

## Detection Logic

The script classifies hosts as:

- `patched`: host is at or above a fixed build, or has a matching KB installed.
- `vulnerable`: affected Windows Server build is below the fixed build and is a domain controller, or domain-controller role cannot be confirmed.
- `not_affected`: OS is outside the affected product/build list, or affected server is not a domain controller.
- `unknown`: insufficient local platform context or query failure.

Affected/fixed data is sourced from Microsoft MSRC CVRF data for `2026-May`.

| Product | Fixed build | Update |
| --- | --- | --- |
| Windows Server 2012 | `6.2.9200.26079` | KB5087470 |
| Windows Server 2012 R2 | `6.3.9600.23181` | KB5087471 |
| Windows Server 2016 | `10.0.14393.9140` | KB5087537 |
| Windows Server 2019 | `10.0.17763.8755` | KB5087538 |
| Windows Server 2022 | `10.0.20348.5139` | KB5087545 |
| Windows Server 2022 Hotpatch | `10.0.20348.5074` | KB5087424 |
| Windows Server 2022 23H2 | `10.0.25398.2330` | KB5087541 |
| Windows Server 2025 | `10.0.26100.32860` | KB5087539 |
| Windows Server 2025 Hotpatch | `10.0.26100.32772` | KB5087423 |

## Example Offline Facts

```json
{
  "target": "dc01",
  "caption": "Microsoft Windows Server 2019 Standard",
  "version": "10.0.17763",
  "build_number": "17763",
  "ubr": "8000",
  "product_type": 2,
  "domain_role": 5,
  "installed_kbs": []
}
```

## References

- Microsoft MSRC: 
- CVE Record: 
- NVD: 

## Disclaimer

This project is for defensive vulnerability management. Validate results against Microsoft guidance and your patch-management records before making production decisions.