Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day

Microsoft Patch Tuesday security updates for April 2026 fixed 165 vulnerabilities, including an actively exploited SharePoint zero-day.

Microsoft Patch Tuesday security updates addressed 165 vulnerabilities, making it one of the largest updates by CVE count. One of the most interesting flaws fixed by the IT giant is a critical SharePoint zero-day, tracked as CVE-2026-32201, already exploited in attacks in the wild.

Security experts highlight the scale and urgency of this release, urging organizations to apply patches quickly to reduce exposure and prevent potential compromise from actively targeted flaws.

Eight of these flaws are rated Critical, two are rated as Moderate, and the rest are rated Important in severity.

CVE-2026-32201 (CVSS score of 6.5) is a spoofing vulnerability in Microsoft SharePoint Server, likely related to cross-site scripting (XSS). While details are limited, it could allow attackers to view or modify exposed information. Microsoft has not disclosed how widespread exploitation is, but given the potential impact, organizations, especially those with internet-facing SharePoint servers—should prioritize testing and applying the patch quickly.

“Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.” reads the advisory. “An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).” “Exploitation Detected”

• CVE-2026-33825 (CVSS score: 7.8) – Microsoft Defender Elevation of Privilege Vulnerability
  This publicly disclosed flaw can allow privilege escalation, though current exploits may face reliability issues. Despite that, it represents a real risk. Organizations relying on Defender should test and deploy the patch quickly to reduce exposure.
• CVE-2026-33827 (CVSS score: 8.1) – Windows TCP/IP Remote Code Execution Vulnerability
  This flaw enables remote, unauthenticated attackers to execute code without user interaction, making it potentially wormable on systems with IPv6 and IPSec enabled. Although it involves a race condition, such bugs are often exploitable. Prompt patching is strongly recommended.
• CVE-2026-33824 (CVSS score: 9.8) – Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability
  This critical flaw in Windows IKE service extensions could allow remote attackers to execute code on affected systems. Systems with IKE enabled are at risk, though blocking UDP ports 500 and 4500 can reduce exposure from external threats. However, internal attackers may still exploit it for lateral movement, so rapid patching is strongly recommended.

“By my count, this is the second-largest monthly release in Microsoft’s history. There are many things we could speculate on to justify the size, but if Microsoft is like the other programs out there (including ours), they are likely seeing a rise in submissions found by AI tools. For us, our incoming rate has essentially tripled, making triage a challenge, to say the least.” reported ZDI. “Whatever the reason, we have a lot of bugs to deal with this month. I should also point out that the Pwn2Own Berlin occurs next month, and it’s typical for vendors to patch as much as they can before the event.”

The full list of vulnerabilities addressed by Microsoft is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)