Executive Summary – Key Highlights
Microsoft’s April 2026 Patch Tuesday is one of the largest and most urgent security update cycles on record, addressing 163–167 vulnerabilities across Windows, Microsoft 365, Office, SharePoint, Defender, Azure components, and core infrastructure services. [bleepingcomputer.com], [securitybo…levard.com], [crowdstrike.com]
Key takeaways for organisations:
- Two zero-day vulnerabilities fixed, one actively exploited in the wild
- Eight Critical vulnerabilities, most enabling remote code execution
- SharePoint Server is a top priority due to confirmed exploitation
- Elevation of Privilege vulnerabilities dominate this release
- Immediate patching is strongly recommended for internet-facing and regulated environments
This month’s release reinforces the importance of tight patch management, vulnerability prioritisation, and rapid remediation, particularly for organisations handling sensitive data.
Overview: Why April 2026 Matters
April 2026 represents the second-largest Patch Tuesday release in Microsoft’s history, with attackers already exploiting weaknesses before patches were available. [krebsonsecurity.com], [tenable.com]
In total, Microsoft resolved vulnerabilities across:
- Windows desktop and server
- Microsoft Office (Word, Excel, PowerPoint)
- Microsoft SharePoint Server
- Microsoft Defender
- Active Directory, Remote Desktop, BitLocker, and TCP/IP
- Azure services and management tooling
Many of these flaws impact core identity, collaboration, and remote access services, significantly increasing risk if not addressed promptly.
Zero-Day Vulnerabilities – Immediate Attention Required
CVE-2026-32201 – SharePoint Server Spoofing (Actively Exploited)
- Status: Actively exploited in the wild
- Impact: Spoofing attacks allowing malicious content to appear trusted
- Risk: Enables phishing, social engineering, and data manipulation
- Action: Patch immediately, especially for exposed or business-critical SharePoint environments
This vulnerability allows attackers to exploit improper input validation within SharePoint, potentially deceiving users into trusting falsified content hosted inside a legitimate platform. [bleepingcomputer.com], [infosecuri…gazine.com], [crowdstrike.com]
CVE-2026-33825 – Microsoft Defender Elevation of Privilege
- Status: Publicly disclosed prior to patching
- Impact: Local attackers can gain SYSTEM-level privileges
- Risk: Can be chained with other vulnerabilities post-initial compromise
- Action: Ensure Defender platform updates are applied across endpoints
Microsoft confirms the Defender fix is delivered automatically via security intelligence updates, but verification is critical in managed estates. [bleepingcomputer.com], [infosecuri…gazine.com]
Vulnerability Breakdown at a Glance
April’s updates are heavily skewed towards privilege escalation and system-level compromise:
- Elevation of Privilege: 93 vulnerabilities
- Remote Code Execution: 20 vulnerabilities (7 Critical)
- Information Disclosure: 20 vulnerabilities
- Security Feature Bypass: 12–13 vulnerabilities
- Denial of Service & Spoofing: Remaining issues
Windows components account for approximately 80% of all fixes, underlining the need for comprehensive endpoint and server patching strategies. [bleepingcomputer.com], [blog.qualys.com], [crowdstrike.com]
Windows, Office and Infrastructure Impact
Windows & Server Platforms
Microsoft patched vulnerabilities across:
- Active Directory
- Remote Desktop Client
- Windows TCP/IP & IKE (IPsec/VPN)
- BitLocker, LSASS, Kernel, and WinSock
Several of these components are network-facing or identity-critical, which significantly raises exploitation impact if left unpatched. [cybersafenv.org], [infosecuri…gazine.com]
Microsoft Office & Collaboration Services
Office applications remain a consistent attack vector:
- Multiple Remote Code Execution vulnerabilities in Word, Excel and PowerPoint
- Additional critical focus on SharePoint Server, especially for on‑premises deployments
Organisations using Microsoft 365 hybrid or on‑prem collaboration services should ensure both server and endpoint updates are fully applied.
Adobe Updates (Also Included This Month)
Alongside Microsoft, Adobe released security updates for 56 vulnerabilities, 38 rated as Critical, affecting:
- Adobe Acrobat Reader
- Photoshop, Illustrator, InDesign
- ColdFusion and Adobe Connect
Active exploitation has been reported for at least one Acrobat Reader vulnerability, making Adobe patching a parallel priority this month. [blog.qualys.com], [zerodayini…iative.com]
Secure Chain Guidance: What Should You Do Now?
We recommend organisations take the following risk-based approach:
- Patch SharePoint Server immediately, prioritising exposed systems
- Deploy April cumulative updates to all supported Windows endpoints and servers
- Verify Defender platform versions are fully up to date
- Accelerate patching for Remote Desktop, AD, VPN, and identity services
- Confirm Office and Adobe updates across user devices
- Validate remediation via vulnerability scanning and reporting tools
For regulated sectors (legal, finance, healthcare), delays in addressing known exploited vulnerabilities may create compliance and audit risk.
