Microsoft’s April 2026 Patch Tuesday is officially the second-largest in the company’s history, addressing a staggering 167 vulnerabilities across its product portfolio. Among the fixes are two confirmed zero-day vulnerabilities — one of which is under active exploitation in the wild. Security teams are strongly urged to prioritize these updates immediately.
The Actively Exploited Zero-Day: CVE-2026-32201
The most critical fix in this month’s batch is CVE-2026-32201, an improper input validation flaw in Microsoft SharePoint Server. Rated with an ‘Important’ severity and a CVSS score of 6.5, this spoofing vulnerability allows an unauthorized attacker to perform network-based spoofing attacks against SharePoint environments. Microsoft has confirmed this vulnerability has been actively exploited in the wild prior to the patch’s release, making immediate patching a top priority for any organization running on-premises SharePoint.
Threat intelligence researchers have noted that CVE-2026-32201 has been chained with other post-authentication techniques to escalate access within compromised networks. While the CVSS score may appear moderate, the fact of active exploitation elevates its real-world urgency considerably.
Windows Defender Race Condition: CVE-2026-33825
The second zero-day patched this month is CVE-2026-33825, a race condition vulnerability in Windows Defender’s file remediation logic. Dubbed “BlueHammer” by the researchers who discovered it, this flaw can be leveraged by a local, unprivileged attacker to overwrite arbitrary files on the target system, ultimately achieving SYSTEM-level code execution.
A fully functional proof-of-concept exploit dubbed BlueHammer was publicly disclosed on April 7, 2026, alongside the vulnerability details — giving attackers a ready-made weapon before a patch was available. Microsoft has rated this as a publicly disclosed, publicly exploited vulnerability and recommends emergency deployment of the April updates on all Windows endpoints.
Scale of This Month’s Updates
Beyond the two zero-days, the April 2026 Patch Tuesday addresses 167 CVEs in total, spanning:
- 8 Critical vulnerabilities, primarily in Windows components and Hyper-V
- Remote Code Execution (RCE) flaws in Microsoft Office, Azure, and the .NET runtime
- Elevation of Privilege (EoP) vulnerabilities across Windows kernel and core services
- Information Disclosure bugs in Edge and Internet Explorer compatibility mode
- Security Feature Bypass issues in Secure Boot and BitLocker
Analysts at CrowdStrike and Tenable have both highlighted this as an unusually large release, noting that the volume of critical RCE bugs alone justifies emergency change-window procedures for most enterprise environments.
Affected Products and Recommended Actions
The affected software list is broad and includes Windows 10 through Windows 11 (all versions), Windows Server 2016 through 2025, Microsoft 365 Apps for Enterprise, SharePoint Server 2016/2019/Subscription Edition, Azure, Edge, and the .NET 6/8 runtime. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both zero-days to its Known Exploited Vulnerabilities (KEV) catalog.
- Apply the April 2026 cumulative update to all Windows endpoints and servers immediately
- Prioritize SharePoint Server patching for CVE-2026-32201, especially internet-facing deployments
- Review Windows Defender definitions and ensure the engine update for CVE-2026-33825 is deployed
- Audit SharePoint server logs for spoofing or unusual authentication activity since March 2026
Context: A Record-Breaking Patch Cycle
Security researchers tracking Patch Tuesday trends note that the April 2026 release is the second-largest on record by CVE count. The record was set in late 2024. The sheer volume reflects Microsoft’s ongoing consolidation of security fixes and, analysts argue, a broader increase in vulnerability research activity targeting Microsoft’s ecosystem. Organizations struggling with patch velocity should review their vulnerability management SLAs and consider automated patching tooling to keep pace.
As always, Secure Bulletin recommends testing patches in a non-production environment before broad deployment, but given the active exploitation of CVE-2026-32201, the risk calculus this month clearly favours speed over caution for the zero-day fixes.