Microsoft has released its April 2026 Patch Tuesday security update, addressing a record-breaking 168 vulnerabilities across its product portfolio — the largest monthly patch bundle in recent years. The update includes fixes for one actively exploited zero-day and one publicly disclosed vulnerability, making immediate patching an urgent priority for security teams worldwide.
The Actively Exploited Zero-Day: CVE-2026-32201
The most critical issue this month is CVE-2026-32201, a Microsoft SharePoint Server Spoofing Vulnerability that is currently being actively exploited in the wild. Attackers leveraging this flaw can conduct spoofing attacks against SharePoint environments, potentially manipulating server-side requests and tricking users or systems into believing they are communicating with a trusted source.
Microsoft has confirmed active exploitation and urges organizations running on-premises SharePoint deployments to apply the patch immediately. SharePoint Online customers hosted in Microsoft’s cloud infrastructure are already protected and do not need to take manual action. However, with over 1,370 internet-facing SharePoint servers still unpatched as of reporting time, the window for attackers remains dangerously wide open.
Publicly Disclosed Vulnerability: CVE-2026-33825
A second high-priority vulnerability this cycle is CVE-2026-33825, a Microsoft Defender Antimalware Platform Elevation of Privilege flaw that was publicly disclosed before this patch cycle. The vulnerability stems from insufficient access-control granularity (CWE-1220) within the Defender platform. A standard, non-administrative user account is sufficient to trigger the privilege escalation, granting an attacker full SYSTEM privileges on the affected machine.
The flaw had its technical details and proof-of-concept code shared publicly by researcher “Chaotic Eclipse,” significantly increasing the likelihood of real-world exploitation. Microsoft rates exploitation as “More Likely,” and security teams should treat this as near-equivalent to an actively exploited zero-day.
Critical Remote Code Execution Vulnerabilities
Among the 168 patched vulnerabilities, eight are rated Critical. Nearly all of these are Remote Code Execution (RCE) vulnerabilities, with two especially alarming entries:
- Windows TCP/IP RCE: A network-level flaw that can be exploited without any user interaction in certain configurations, making it a prime target for automated attacks and potentially worm-like propagation across enterprise networks.
- Active Directory RCE: Attackers with access to a domain controller environment could exploit this to gain arbitrary code execution, posing catastrophic risks to enterprise network integrity, authentication, and identity infrastructure.
Scope of This Month’s Release
The April 2026 update addresses vulnerabilities across a broad range of Microsoft products and components, including:
- Windows 10, 11, and Server (2019, 2022, 2025)
- Microsoft Office and Microsoft 365 applications
- Microsoft SharePoint Server (on-premises)
- Windows TCP/IP stack
- Active Directory Domain Services
- Microsoft Defender Antimalware Platform
- Azure and cloud-connected service components
- .NET Framework and Visual Studio
Prioritization Guidance for Security Teams
With 168 vulnerabilities to address, a clear prioritization strategy is essential:
- Immediate (within 24–48 hours): Patch CVE-2026-32201 on all on-premises SharePoint servers. Active exploitation is confirmed and the threat is ongoing.
- High Priority (within 72 hours): Address CVE-2026-33825 (Defender EoP) and all Critical-rated RCE vulnerabilities, especially those in Windows TCP/IP and Active Directory. Public PoC code is already circulating.
- Standard (within 30 days): Apply all remaining Important and Moderate patches as part of your regular update cadence.
Known Issues With This Update
Security administrators should be aware of a significant side effect: Microsoft has confirmed that some Windows Server 2025 domain controllers are entering reboot loops after installing cumulative update KB5082063. A subset of affected systems is also failing to install the update entirely, returning error code 0x800F0983. Microsoft recommends pausing deployment of KB5082063 on domain controllers and monitoring the Windows Server release health dashboard for resolution updates before proceeding with patching on those systems.
Conclusion
April 2026’s Patch Tuesday is one of the most consequential monthly update releases Microsoft has ever issued. The combination of a historically high vulnerability count, an actively exploited zero-day in a widely deployed enterprise platform, a publicly disclosed privilege escalation flaw, and multiple Critical-rated RCE vulnerabilities demands immediate action from security and IT operations teams. Organizations should begin emergency patching procedures now, while carefully monitoring for the known domain controller reboot issue before deploying broadly in server environments.