Microsoft Patches 167 Flaws, SharePoint Zero-Day Under Attack

Microsoft's April 2026 Patch Tuesday dropped with 167 security fixes, making it one of the largest update cycles this year. Two zero-day vulnerabilities stand out: one already exploited in the wild, the other publicly disclosed before a patch existed.

The Actively Exploited SharePoint Flaw

CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server that attackers are actively weaponizing. Microsoft describes it as an improper input validation issue that "allows an unauthorized attacker to perform spoofing over a network."

While rated "Important" rather than Critical, don't let the severity rating fool you. Active exploitation means attackers have already figured out how to leverage this for information disclosure and integrity compromise. Organizations running SharePoint should prioritize this patch above others.

The second zero-day, CVE-2026-33825, affects Microsoft Defender. This elevation of privilege vulnerability was publicly disclosed—likely connected to the BlueHammer exploit leak we covered last week when a frustrated researcher dropped working exploit code on GitHub. The fix requires updating to Antimalware Platform version 4.18.26050.3011.

Eight Critical Vulnerabilities

Beyond the zero-days, Microsoft addressed eight Critical-severity flaws, seven of which enable remote code execution:

1. CVE-2026-33827 - Windows TCP/IP RCE with a CVSS of 9.8. This one's nasty—network-accessible and requires no user interaction.
2. CVE-2026-33826 - Windows Active Directory RCE that could give attackers domain-level access.
3. CVE-2026-32157 - Remote Desktop Client use-after-free vulnerability.
4. CVE-2026-32190 - Microsoft Office RCE affecting the core Office suite.
5. CVE-2026-33115 and CVE-2026-33114 - Two separate Microsoft Word RCE flaws.
6. CVE-2026-33824 - Windows IKE Service RCE targeting VPN infrastructure.
7. CVE-2026-23666 - .NET Framework denial of service (the lone non-RCE Critical).

The TCP/IP vulnerability deserves immediate attention. Unlike most RCE bugs that require user interaction or specific configurations, network-level flaws can be triggered remotely against any exposed system.

Breakdown by Category

The 167 patched vulnerabilities span multiple categories:

• Elevation of Privilege: 93 vulnerabilities
• Information Disclosure: 21 vulnerabilities
• Remote Code Execution: 20 vulnerabilities
• Security Feature Bypass: 13 vulnerabilities
• Denial of Service: 10 vulnerabilities
• Spoofing: 9 vulnerabilities

That 93 privilege escalation bugs represent over half the total. Attackers frequently chain these with initial access vulnerabilities—gain a foothold through phishing or an exposed service, then escalate to SYSTEM or domain admin.

Recommendations

If you're running enterprise Windows environments:

1. Patch SharePoint immediately - Active exploitation means attackers already have working tools.
2. Verify Defender updates - The BlueHammer fix should auto-deploy, but confirm version 4.18.26050.3011 or later.
3. Prioritize TCP/IP - CVE-2026-33827 affects any Windows system with network exposure.
4. Test AD patches carefully - Active Directory changes can break authentication if deployed wrong.
5. Review Office deployment - Multiple RCE vectors in Word and the Office suite.

Why This Matters

April's patch count continues an upward trend. Microsoft's March 2026 Patch Tuesday addressed 83 CVEs with two zero-days. February hit six zero-days. The pattern suggests either improved vulnerability discovery or increased attacker focus on Microsoft products—probably both.

The SharePoint exploitation is particularly concerning for enterprises. SharePoint deployments often contain sensitive internal documents, project plans, and business communications. A spoofing vulnerability enabling unauthorized access could expose intellectual property or provide reconnaissance for follow-on attacks.

For security teams already stretched thin by recent CISA KEV additions across Fortinet, Adobe, and other vendors, this massive Microsoft update adds significant remediation workload. But with active exploitation confirmed, delay isn't an option.

The full list of patches is available in Microsoft's Security Update Guide. Test where possible, but get these deployed.