Microsoft's Massive April 2026 Patch Tuesday Fixes 167 Flaws Including Exploited SharePoint Zero-Day
Introduction
Microsoft dropped one of its largest Patch Tuesday updates ever on April 14, addressing 167 security vulnerabilities across Windows, Office, SharePoint, and more. Two of those flaws are zero-days — one in SharePoint Server is already being exploited in the wild, and a second in Microsoft Defender was publicly disclosed before a fix shipped.
What Happened
The April 2026 update includes fixes for 93 elevation-of-privilege bugs, 20 remote code execution flaws, 21 information disclosure issues, 13 security feature bypasses, 10 denial-of-service vulnerabilities, and 9 spoofing flaws. Eight of them are rated Critical.
The actively exploited zero-day is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server (CVSS 6.5). It stems from improper input validation that opens the door to cross-site scripting (XSS). Attackers are already using it against internet-facing SharePoint instances to hijack authenticated sessions and execute actions on behalf of legitimate users.
The second zero-day, CVE-2026-33825, is an elevation-of-privilege flaw in Microsoft Defender (CVSS 7.8). A local attacker with low-level access can escalate straight to SYSTEM. While Microsoft has not confirmed active exploitation, proof-of-concept details were public before the patch landed.
Among the eight Critical-severity bugs, the most concerning are:
- CVE-2026-33826 — Remote code execution in Windows Active Directory
- CVE-2026-33827 — Remote code execution in Windows TCP/IP
- CVE-2026-32157 — Remote code execution in Remote Desktop Client
- CVE-2026-32190, CVE-2026-33114, CVE-2026-33115 — Remote code execution in Microsoft Office and Word (exploitable via the Preview Pane)
A third zero-day, CVE-2026-5281, a Chromium-based RCE affecting Edge and other Chromium browsers, was also patched in this cycle.
Why It Matters
This is the second-largest Patch Tuesday on record by CVE count. Security researchers attribute the spike partly to AI-assisted vulnerability discovery accelerating the rate at which flaws surface. For defenders, the combination of an exploited SharePoint zero-day, a disclosed Defender privilege escalation, and critical RCEs in Active Directory and TCP/IP creates a wide attack surface that needs immediate attention. The Office Preview Pane RCEs are especially dangerous because they require zero clicks — just previewing a malicious document triggers code execution.
Who Is Affected
- Any organization running Microsoft SharePoint Server exposed to the internet
- Windows endpoints relying on Microsoft Defender for endpoint protection
- Enterprises using Active Directory, Remote Desktop, and Microsoft Office
- Users of Chromium-based browsers including Microsoft Edge
- Effectively every Windows shop is in scope for at least a subset of these 167 fixes
How to Protect Yourself
Patch immediately. This is a "stop what you're doing and update" month.
Check your current patch level on Windows:
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
Force a Windows Update check:
usoclient StartInteractiveScan
For SharePoint administrators — verify your SharePoint build number against the patched version:
(Get-SPFarm).BuildVersion
If you cannot patch SharePoint immediately, restrict external access to the SharePoint web front-end and monitor IIS logs for anomalous POST requests to SharePoint endpoints.
For the Microsoft Defender EoP flaw, ensure Defender definitions and platform updates are current:
Update-MpSignature
Get-MpComputerStatus | Select-Object AMProductVersion, AntivirusSignatureLastUpdated
Prioritize the Critical RCEs in Active Directory (CVE-2026-33826) and TCP/IP (CVE-2026-33827) on domain controllers and externally reachable hosts. Disable the Preview Pane in Outlook and Explorer as a temporary mitigation for the Office RCEs:
Registry: HKCU\Software\Microsoft\Office\16.0\Outlook\Options → set "ShowReadingPane" = 0
Review the full advisory at the Microsoft Security Update Guide.