Why this is operationally urgent
Netlogon is part of the domain trust plumbing. A critical RCE here is, in the worst case, a direct path to a domain controller without needing complex chains.
If you have to prioritize: patch domain controllers first, then the systems used to administer them (jump hosts, management servers, admin workstations).
Practical steps for the next 24–72 hours
- Enforce patch level: Apply May 2026 security updates to all domain controllers (all sites) and admin/management systems.
- Harden network paths: Allow access to DCs only from required source networks (server/admin segments). Remove unnecessary lateral reachability from user/client segments.
- Eliminate DC exposure: DCs should not be reachable from DMZs, through “any-to-any” firewalls, or via weak VPN profiles.
- Tighten monitoring: Focus on unusual Netlogon/auth failures, new or suspicious machine accounts, sudden policy/GPO changes, and atypical DC logons.
Fast verification
- Update compliance: Per-DC proof that the May 2026 cumulative updates are installed (WSUS/Intune/SCCM, or locally via
Get-HotFix/servicing reports). - Segmentation: A quick path check from common client VLANs to DC ports (SMB/RPC) usually reveals where too much is still open.
If patching is delayed, segmentation and access-path control are the realistic short-term levers to reduce risk without rebuilding AD.