Microsoft’s April 2026 Patch Tuesday is one of the heaviest releases on record, addressing 167 CVEs across Windows, Office, SharePoint, Active Directory, and Azure. Two zero-days demand immediate attention, and four Critical-rated remote code execution vulnerabilities significantly raise the overall risk profile for enterprise environments that have not yet applied updates.
The Zero-Days
CVE-2026-32201 — Microsoft SharePoint Server Spoofing (Actively Exploited)
The most urgent fix in this month’s release is CVE-2026-32201, a spoofing vulnerability in SharePoint Server that Microsoft confirms is being actively exploited in the wild. The flaw carries a CVSS score of 6.5, which understates its real-world risk: successful exploitation allows attackers to view sensitive information and make unauthorised modifications to disclosed content. Organisations running internet-facing or internally accessible SharePoint deployments should treat patching as an emergency task.
CVE-2026-33825 — Microsoft Defender Elevation of Privilege (Publicly Disclosed)
This Defender EoP flaw (CVSS 7.8) was publicly disclosed before a patch was available, giving attackers advance notice of a local privilege escalation path. Any threat actor already present on an endpoint could use this to move from a standard user context to SYSTEM. Given how widely Defender is deployed across enterprise environments, this warrants fast-track patching.
Critical Remote Code Execution Vulnerabilities
Beyond the zero-days, three Critical-rated RCE flaws stand out for organisations that need to prioritise:
CVE-2026-33824 — Windows IKE Service Extensions RCE (CVSS 9.8) An unauthenticated remote attacker can exploit a flaw in the Windows Internet Key Exchange service to execute arbitrary code without user interaction. The attack vector is network-accessible, requiring no privileges. Any externally reachable Windows system running IPsec with IKE is potentially at risk.
CVE-2026-33827 — Windows TCP/IP RCE (CVSS 8.1) Remote, unauthenticated code execution via the Windows TCP/IP stack. No user interaction required. Systems directly exposed to the internet or on untrusted network segments should be prioritised.
CVE-2026-33826 — Windows Active Directory RCE (CVSS 8.0, Critical) A code execution vulnerability in Active Directory assessed by Microsoft as “Exploitation More Likely.” Given that domain controllers are the backbone of most enterprise identity infrastructure, compromise of a domain controller would give attackers broad lateral movement capability. This requires urgent attention in any environment that has not segmented domain controller traffic.
Scope of This Release
The 167-CVE release is Microsoft’s second-largest monthly update on record. Eight vulnerabilities are rated Critical: seven remote code execution flaws and one denial-of-service. The remainder span elevation of privilege, information disclosure, spoofing, and security feature bypass categories.
Recommended Actions
- Apply the SharePoint patch immediately if CVE-2026-32201 affects your deployment — active exploitation is confirmed.
- Patch all Windows systems running IKE (CVE-2026-33824, CVSS 9.8) within your normal emergency patch SLA (typically 24–72 hours for Critical unauthenticated network RCE).
- Prioritise domain controllers for CVE-2026-33826 (Active Directory RCE) — Microsoft’s “Exploitation More Likely” rating signals that working exploits are expected imminently.
- Update Microsoft Defender signatures and the Defender platform component to address CVE-2026-33825 before the EoP is weaponised in attack chains.
- Test and deploy remaining updates within your standard patch cycle; the sheer volume of this release means vulnerability backlogs accumulate quickly.
Security teams should cross-reference their exposed asset inventory against the full CVE list published by Microsoft. With 167 vulnerabilities, organisations that do not have automated patch deployment tooling in place will struggle to close exposure windows in a reasonable timeframe.