Your domain controller is online right now. And if it hasn't been patched in the last few weeks, there's a reasonable chance someone already knows about a hole in it that you don't.
This isn't hypothetical. It's the current state of Windows Server security in mid-2026 — and the cost of falling behind on patches has never been higher.
The Threat Is Active, Not Theoretical
According to The Hacker News, a newly disclosed Windows Search URI vulnerability (alongside CVE-2026-33829) is actively leaking NTLMv2 credential hashes — and as of this writing, it remains unpatched. An attacker who captures those hashes can crack them offline or relay them to authenticate to other systems on your network. No malware required. No user interaction beyond opening a crafted file or link.
For the IT admin managing a 50-person shop, that's not an abstract threat. That's your file server, your domain controller, your entire Active Directory environment sitting behind a credential that's already been handed to an attacker.
Meanwhile, The Hacker News also reports that AI is compressing the window between vulnerability disclosure and active exploitation down to hours. Not days. Not weeks. Hours. If your patch cycle runs monthly — or whenever you get around to it — you are now operating in a world where that lag time is enough for attackers to build, test, and deploy a working exploit before you've even opened the patch notes.
And it's not just Windows. CISA added Oracle WebLogic CVE-2024-21182 to its Known Exploited Vulnerabilities catalog this week after confirming active exploitation in the wild. The pattern is consistent: unpatched server software gets found, weaponized, and used — often within days of public disclosure.
On top of all this, Bruce Schneier reported that a researcher publishing multiple significant Windows zero-days — including one that breaks BitLocker — is now facing pressure from Microsoft. Whatever you think of that dispute, the takeaway is clear: the Windows vulnerability surface is being actively probed and exposed right now, and the disclosures are coming faster than most organizations can respond. (We covered the BitLocker angle specifically in our post on BitLocker vs full disk encryption alternatives.)
What Actually Happens When You Miss a Patch
Let's walk through the realistic blast radius of a single missed critical patch on a domain controller.
Step 1 — Initial Access via Credential Theft An attacker sends a malicious link or document that triggers the Windows Search URI vulnerability. Your user's NTLMv2 hash is captured. The attacker cracks it or relays it within minutes.
Step 2 — Privilege Escalation to SYSTEM With valid credentials, the attacker authenticates to the domain controller. A secondary privilege escalation vulnerability — the kind that gets quietly patched in monthly rollups — lets them move from a standard user context to SYSTEM. Full control of the machine.
Step 3 — Lateral Movement From the domain controller, the attacker has the keys to everything. They dump credentials from memory (LSASS), enumerate your file shares, identify your backup systems, and map your environment. This phase often takes less than 30 minutes with modern tooling.
Step 4 — Ransomware Deployment Backups are deleted or encrypted first. Then ransomware is pushed to every endpoint via Group Policy or remote execution. You arrive Monday morning to a ransom note.
This isn't a worst-case scenario. This is the documented playbook used in hundreds of real incidents against small and mid-sized businesses. The legal and financial fallout from that outcome is something we broke down in detail in our post on ransomware liability and small business legal risk.
The No-Excuses Patching Checklist
You don't need a $50,000 vulnerability management platform to stay on top of this. You need a repeatable process.
1. Patch domain controllers first, always. Your DC is the highest-value target on your network. It gets patched before workstations, before file servers, before anything else.
2. Subscribe to CISA's Known Exploited Vulnerabilities feed. CISA's KEV catalog (cisa.gov/known-exploited-vulnerabilities-catalog) is free and tells you exactly which vulnerabilities are being actively used in attacks right now. If something hits that list, it jumps to the front of your queue regardless of your patch schedule.
3. Run Windows Update on a weekly cadence, not monthly. Monthly Patch Tuesday is a baseline, not a ceiling. Critical out-of-band patches — the ones Microsoft releases between Tuesdays — often address the most dangerous vulnerabilities. Check weekly.
4. Audit what's actually patched, not just what's been pushed. Patch deployment and patch installation are not the same thing. Verify that updates have actually applied successfully. Failed patches are silent until they're exploited.
5. Prioritize anything touching authentication. NTLM, Kerberos, LDAP, RDP — any vulnerability in these protocols on a domain controller is critical by default. Patch these immediately, full stop.
6. Know your exposure before attackers do. Running a vulnerability scan against your own infrastructure tells you what an attacker would see. If you're not doing this regularly, you're flying blind. We covered how this process works — and why we verify domain ownership before scanning — in our post on why we verify domain ownership before scanning.
The Window Is Smaller Than You Think
The old assumption was that you had a few weeks between a patch being released and attackers weaponizing the underlying vulnerability. That assumption is dead. AI-assisted exploit development has collapsed that timeline, and small business infrastructure — domain controllers, file servers, VPNs — is actively targeted because attackers know it's less likely to be monitored.
If your patch process is "whenever I get to it," that's not a process. That's a waiting game you will eventually lose.
Take Action
Knowing you have unpatched vulnerabilities is better than finding out from a ransom note. A proactive scan of your external attack surface tells you exactly what's exposed before an attacker gets there first.
Oscar Six Security's Radar gives small business IT admins and MSPs an affordable, no-fluff vulnerability scan for $99 — so you can see your environment the way an attacker does and close the gaps before they're exploited.
Focus Forward. We've Got Your Six.