Microsoft’s April 2026 Patch Tuesday update is one of the largest in recent memory, addressing a staggering 163 CVEs across its product portfolio. Among these, two vulnerabilities have been classified as zero-days — one of which was actively exploited in the wild before a fix was available, and another that was publicly disclosed before the patch landed, with working exploit code already circulating on GitHub.
CVE-2026-32201: SharePoint Spoofing Zero-Day Exploited in the Wild
The first actively exploited zero-day, CVE-2026-32201, is a spoofing vulnerability affecting Microsoft SharePoint. Rated with a CVSSv3 score of 6.5, the flaw has been confirmed by Microsoft as exploited in the wild prior to today’s patch release.
SharePoint is a prime target for threat actors because it is deeply integrated into enterprise workflows and often holds sensitive documents, internal communications, and authentication tokens. Spoofing vulnerabilities in SharePoint have historically been chained with other flaws to enable lateral movement or privilege escalation within corporate networks.
Organizations running on-premises SharePoint deployments should treat this as a critical priority update. SharePoint Online users on Microsoft 365 are protected automatically through Microsoft’s cloud patching process.
CVE-2026-33825: “BlueHammer” — Microsoft Defender EoP with Public Exploit Code
The second zero-day, CVE-2026-33825, is an Elevation of Privilege (EoP) vulnerability in Microsoft Defender, carrying a CVSSv3 score of 7.8. While Microsoft has not confirmed active exploitation, this flaw is arguably more dangerous in the short term due to one critical factor: functional exploit code has been publicly available on GitHub since April 3rd.
The vulnerability, known by the researcher community under the name “BlueHammer”, was released by a researcher using the alias Chaotic Eclipse, who expressed frustration with Microsoft’s handling of the responsible disclosure process. The public release means any threat actor — from sophisticated APT groups to low-skilled script kiddies — can now leverage this exploit against unpatched systems.
- The EoP flaw allows a low-privileged local attacker to escalate to SYSTEM-level privileges on affected Windows machines.
- Defender’s widespread deployment across Windows endpoints makes the attack surface extremely broad.
- Once SYSTEM-level access is obtained, attackers can disable endpoint protections, exfiltrate data, or deploy ransomware.
CVE-2026-33824: Critical Windows IKE RCE (CVSS 9.8)
While not a zero-day, security teams should also immediately prioritize CVE-2026-33824, a critical remote code execution vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions. With a CVSSv3 score of 9.8, it is exploitable by an unauthenticated attacker via crafted packets targeting IKE version 2.
IKE is used widely in VPN and IPsec configurations, making this vulnerability particularly dangerous for organizations that rely on Windows-based VPN infrastructure. Network edge devices are attractive targets, and a pre-auth RCE at CVSS 9.8 with no user interaction required should be treated with the same urgency as a zero-day.
Scale of the April 2026 Patch Tuesday
The 163 CVEs addressed this month span a wide range of Microsoft products and severity levels:
- Critical severity: Multiple RCE vulnerabilities in Windows networking components, Office, and Azure services.
- High severity: Elevation of privilege flaws across Windows kernel, Hyper-V, and various system services.
- Medium/Low: Information disclosure and denial-of-service vulnerabilities in peripheral components.
Security professionals should cross-reference their asset inventories against Microsoft’s full advisory to identify which patches are most relevant for their environment.
Recommended Actions
Given the active exploitation of CVE-2026-32201 and the availability of public exploit code for CVE-2026-33825, organizations should:
- Apply all April 2026 Patch Tuesday updates immediately, prioritizing SharePoint, Defender, and Windows IKE patches.
- Monitor threat intelligence feeds for indicators of compromise related to CVE-2026-32201 exploitation.
- Review GitHub and public exploit repositories for BlueHammer (CVE-2026-33825) to understand the threat landscape.
- Ensure endpoint detection and response (EDR) solutions are updated to detect post-exploitation activity following SYSTEM-level privilege escalation.
- For organizations unable to patch immediately, consider temporary mitigations such as network segmentation around SharePoint servers and restricting IKE traffic at perimeter firewalls.