Microsoft fixes exploited SharePoint flaw in massive Patch Tuesday release
Microsoft released fixes for 165 vulnerabilities across Windows, Office, SharePoint, Defender, SQL Server, Azure, .NET, and other products in one of its largest Patch Tuesday updates on record. The most urgent issue was CVE-2026-32201, an actively exploited improper input validation flaw in SharePoint Server that enables unauthenticated network-based spoofing and was immediately added to CISA's Known Exploited Vulnerabilities catalog. Microsoft also patched CVE-2026-33825, a publicly known Microsoft Defender privilege-escalation bug with proof-of-concept code, and CVE-2026-33824, a critical remote code execution flaw in Windows IKE Service Extensions affecting IPsec/VPN infrastructure. Researchers flagged CVE-2026-33827 in Windows TCP/IP as potentially wormable under certain IPv6 and IPSec configurations.
Other high-impact fixes include CVE-2026-33120, a SQL Server remote code execution flaw that paired with a separate privilege escalation bug (CVE-2026-32176) could enable full server compromise, and CVE-2026-32220, a UEFI Secure Boot bypass that could allow untrusted code to load during the boot process. The release also addressed elevation of privilege flaws across Desktop Window Manager, WinSock, TDI Translation Driver, Windows Push Notifications, Function Discovery Service, WSUS, Remote Desktop Licensing, Azure Monitor Agent, and Windows kernel components; security feature bypasses in Windows Hello, PowerShell, BitLocker, and Windows Shell; information disclosure bugs in Windows GDI, Print Spooler, Web Account Manager, UPnP Device Host, and the Windows kernel; and denial-of-service issues in .NET/Visual Studio and Windows RDBSS. Cumulative updates for Windows Server 2022 and 23H2 bundled security hardening for Kerberos, RDP, Secure Boot, and WDS, with Microsoft warning that Secure Boot certificates begin expiring in June 2026.
Timeline
Apr 15, 2026
JPCERT/CC issues alert on Microsoft's April 2026 updates
On April 15, 2026, JPCERT/CC published advisory JPCERT-AT-2026-0010 warning about Microsoft's April 2026 security updates. The alert specifically noted active exploitation of SharePoint flaw CVE-2026-32201 and urged organizations to apply updates promptly.
Apr 14, 2026
CISA adds SharePoint CVE-2026-32201 to KEV catalog
Shortly after disclosure, CISA added the actively exploited SharePoint flaw CVE-2026-32201 to its Known Exploited Vulnerabilities catalog. Reporting said the agency also directed FCEB agencies to remediate the issue by April 28, 2026.
Apr 14, 2026
Microsoft fixes BitLocker bypass vulnerability CVE-2026-27913
Microsoft patched CVE-2026-27913, an Important Windows BitLocker security feature bypass vulnerability that could undermine Secure Boot and the boot chain with local access. Microsoft said there was no evidence of active exploitation or public exploit code, but assessed exploitation as more likely in the near future.
Apr 14, 2026
Microsoft patches critical Windows IKE RCE CVE-2026-33824
Microsoft's April 14 updates included CVE-2026-33824, a critical remote code execution vulnerability in Windows Internet Key Exchange (IKE) Service Extensions. Researchers highlighted it as especially dangerous for internet-facing VPN and IPsec environments because of its low complexity and pre-authentication reachability.
Apr 14, 2026
Public exploit code highlighted for Defender CVE-2026-33825
At the time of Microsoft's April 14 release, security reporting noted that CVE-2026-33825 already had public proof-of-concept or exploit code available, including code linked by outside researchers to GitHub. Microsoft assessed exploitation as more likely, though no in-the-wild abuse was reported.
Apr 14, 2026
Microsoft patches publicly known Defender flaw CVE-2026-33825
Microsoft patched CVE-2026-33825, a publicly known elevation-of-privilege vulnerability in Microsoft Defender that could let a low-privileged local attacker gain SYSTEM privileges. The issue affected Defender platform versions up to 4.18.26020.6 and was fixed in version 4.18.26030.3011.
Apr 14, 2026
Microsoft ships SharePoint security updates for CVE-2026-32201
Microsoft released SharePoint security updates on April 14, 2026 to remediate CVE-2026-32201, including KB5002861 for SharePoint Server 2016 and KB5002853 for SharePoint Server Subscription Edition; reporting also noted fixes for SharePoint Server 2019. Microsoft advised Workflow Manager prerequisites for some deployments before applying the updates.
Apr 14, 2026
Microsoft discloses exploited SharePoint zero-day CVE-2026-32201
Microsoft disclosed CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability caused by improper input validation, and said it was being actively exploited in the wild. The flaw can be exploited over the network without authentication to spoof trusted SharePoint content and potentially expose or alter sensitive information.
Apr 14, 2026
Microsoft releases April 2026 Patch Tuesday fixes
On April 14, 2026, Microsoft published its April Patch Tuesday security updates, addressing roughly 165-169 vulnerabilities across Windows, Office, SharePoint, SQL Server, Defender, and other products. Multiple reports described it as Microsoft's second-largest monthly patch release on record.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
5 more from sources like jpcert jp alerts, arctic wolf blog, cyberscoop and msrc security advisories
Related Stories
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
1 weeks ago
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
1 months ago
Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing **~58–59 vulnerabilities** across Windows and other products, including **six zero-day flaws confirmed as actively exploited in the wild** and **five Critical** issues. Reported vulnerability classes were led by **Elevation of Privilege (25)**, followed by **Remote Code Execution (12)** and **Security Feature Bypass (5)**, with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional *Edge* fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (`CVE-2026-0391`). One of the actively exploited zero-days highlighted across reporting is `CVE-2026-21510`, a **Windows Shell security feature bypass** that can be abused to evade **Mark-of-the-Web/SmartScreen-style warnings** by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of **updated Secure Boot certificates** ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
1 months ago