[{"data":1,"prerenderedAt":182},["ShallowReactive",2],{"article-slug-microsoft-april-2026-patch-tuesday-fixes-167-flaws-including-two-zero-days":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":40,"sources":65,"events":86,"mitre_techniques":92,"mitre_mitigations":108,"d3fend_countermeasures":126,"iocs":137,"cyber_observables":138,"tags":163,"extract_datetime":168,"article_type":169,"impact_scope":170,"pub_date":180,"reading_time_minutes":181,"createdAt":168,"updatedAt":168},"14f46649-6f18-44ea-92dd-420793606564","microsoft-april-2026-patch-tuesday-fixes-167-flaws-including-two-zero-days","Microsoft's Colossal April 2026 Patch Tuesday: 167 Flaws Patched, Two Zero-Days Under Fire","Microsoft's April 2026 Patch Tuesday Addresses 167 Vulnerabilities, Including Actively Exploited SharePoint Flaw and Publicly Disclosed Defender Bug","Microsoft has released one of its largest security updates ever for April 2026, patching 167 vulnerabilities across its product ecosystem. The update is critically important, as it addresses two zero-day vulnerabilities: an actively exploited spoofing flaw in SharePoint Server (CVE-2026-32201) which has been added to CISA's KEV catalog, and a publicly disclosed privilege escalation flaw in Microsoft Defender (CVE-2026-33825). The update also fixes eight critical vulnerabilities, including a near-perfect CVSS 9.8 RCE flaw in the Windows IKE Service (CVE-2026-33824), underscoring the urgent need for organizations to apply these patches immediately.","## Executive Summary\nMicrosoft's April 2026 Patch Tuesday is one of the most substantial security updates in recent history, addressing 167 distinct vulnerabilities. The update includes patches for eight critical flaws and, most notably, two zero-day vulnerabilities. The first, **[CVE-2026-32201](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)**, is a spoofing vulnerability in **[Microsoft SharePoint Server](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration)** that is being actively exploited in the wild. The second, **CVE-2026-33825**, is a privilege escalation flaw in **[Microsoft Defender](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint)** that was publicly disclosed before a patch was available. A record 57% of the patched flaws were for elevation of privilege, highlighting a significant focus area for attackers. Given the active exploitation and public disclosure, organizations are urged to prioritize the deployment of these updates to mitigate immediate risks.\n\n---\n\n## Vulnerabilities Addressed\nThis month's update is extensive, covering a wide range of products including Microsoft Windows, Office, .NET Framework, and Active Directory. The two zero-days represent the most immediate threat.\n\n### Actively Exploited SharePoint Spoofing Vulnerability (CVE-2026-32201)\n- **CVE ID:** `CVE-2026-32201`\n- **CVSS Score:** 6.5 (Medium)\n- **Description:** A spoofing vulnerability exists in Microsoft SharePoint Server due to improper input validation. An unauthenticated, remote attacker can exploit this to perform a spoofing attack, potentially tricking users into trusting malicious content or revealing sensitive information. The attack vector allows an adversary to modify some sensitive information within the SharePoint environment.\n- **Exploitation Status:** Confirmed active exploitation in the wild. **[CISA](httpss://www.cisa.gov)** has added this to its Known Exploited Vulnerabilities (KEV) catalog, with a remediation deadline of April 28, 2026, for federal agencies.\n\n### Publicly Disclosed Defender Privilege Escalation (CVE-2026-33825)\n- **CVE ID:** `CVE-2026-33825`\n- **CVSS Score:** 7.8 (High)\n- **Description:** A privilege escalation vulnerability in the Microsoft Defender anti-malware platform. A locally authenticated attacker can exploit this flaw to gain SYSTEM-level privileges, enabling them to disable security controls, install persistent malware, or take full control of the host. An exploit for this vulnerability, known as \"BlueHammer,\" was published on GitHub prior to the patch release.\n- **Exploitation Status:** Publicly disclosed, with PoC exploit code available. Microsoft notes that Defender typically updates automatically, mitigating risk for many users.\n\n### Critical Remote Code Execution Vulnerabilities\nAmong the eight critical vulnerabilities, two are particularly concerning:\n- **`CVE-2026-33824` (CVSS 9.8):** A remote code execution (RCE) vulnerability in the Windows Internet Key Exchange (IKE) Service. An unauthenticated attacker could send a specially crafted IP packet to a target machine, potentially leading to remote code execution.\n- **`CVE-2026-33827` (CVSS 8.1):** A race condition vulnerability in the Windows TCP/IP stack that could also lead to RCE.\n\n---\n\n## Impact Assessment\nThe active exploitation of **CVE-2026-32201** poses a direct threat to organizations using on-premise SharePoint servers for collaboration and document management. A successful spoofing attack could lead to phishing, credential theft, or the distribution of malware within a trusted corporate environment. The business impact could range from data leakage to significant operational disruption if users are deceived by malicious content.\n\nThe public availability of the **BlueHammer** exploit for **CVE-2026-33825** significantly increases the risk of post-compromise privilege escalation. Attackers who have already gained an initial foothold can use this flaw to quickly achieve full system control, bypassing security measures and establishing a persistent presence. This is a critical link in the attack chain for ransomware and APT groups.\n\n## Cyber Observables for Detection\nSecurity teams should hunt for signs of exploitation related to these vulnerabilities:\n\n| Type | Value | Description |\n|---|---|---|\n| Log Source | SharePoint ULS Logs | Monitor for unusual or malformed requests that could indicate attempts to exploit `CVE-2026-32201`. |\n| Process Execution | `powershell.exe` or `cmd.exe` spawning from Defender processes | Suspicious child processes from `MsMpEng.exe` could indicate exploitation of `CVE-2026-33825`. |\n| Network Traffic | Unusual traffic on UDP port 500/4500 | Monitor for malformed IKE packets targeting the Windows IKE service related to `CVE-2026-33824`. |\n| EDR/Endpoint Logs | `MsMpEng.exe` crashes or restarts | Instability in the Defender service could be a sign of exploitation attempts. |\n\n## Deployment Priority\n1.  **Internet-Facing SharePoint Servers:** These are the highest priority and must be patched immediately to defend against active exploitation of `CVE-2026-32201`.\n2.  **All Windows Endpoints and Servers:** The Microsoft Defender patch for `CVE-2026-33825` should be verified. While automatic updates should handle this, manual verification is prudent, especially on critical assets.\n3.  **VPN Servers and Perimeter Devices:** Systems running the Windows IKE service must be patched to prevent RCE attacks via `CVE-2026-33824`.\n4.  **All Other Systems:** A phased rollout should be completed as quickly as possible, prioritizing critical servers and then general user workstations.\n\n## Mitigation and Remediation\n**Immediate Actions:**\n1.  **Apply Patches:** The primary mitigation is to apply the April 2026 security updates from Microsoft immediately. Use Windows Update, WSUS, or your standard patch management solution.\n2.  **Verify Defender Updates:** For `CVE-2026-33825`, ensure Microsoft Defender anti-malware platform and engine versions are up-to-date. This typically happens automatically but should be confirmed.\n3.  **Monitor Logs:** Increase monitoring of SharePoint and Windows logs for any signs of anomalous activity, especially related to the observables listed above.\n\n**Strategic Recommendations:**\n- **Reduce Attack Surface:** Restrict access to SharePoint management interfaces and limit exposure of the Windows IKE service to trusted networks only. This is a key D3FEND hardening technique.\n- **Assume Breach:** Hunt for evidence of post-compromise activity. The availability of the BlueHammer exploit means attackers may already be inside your network looking to elevate privileges.\n- **Review Privilege Model:** The high number of privilege escalation flaws patched this month reinforces the need for least-privilege access controls and robust privileged account management (PAM) solutions.","🚨 Microsoft's April Patch Tuesday is massive, fixing 167 flaws! Includes patches for an actively exploited SharePoint zero-day (CVE-2026-32201) & a public Defender EoP flaw (CVE-2026-33825). Patch NOW. #PatchTuesday #CyberSecurity #ZeroDay","Microsoft's April 2026 Patch Tuesday update addresses 167 security vulnerabilities, including two zero-days: an actively exploited SharePoint spoofing flaw (CVE-2026-32201) and a public Microsoft Defender privilege escalation bug (CVE-2026-33825).",[13,14,15],"Patch Management","Vulnerability","Cyberattack","critical",[18,22,26,29,33,36,38],{"name":19,"type":20,"url":21},"Microsoft","vendor","https://www.microsoft.com/security",{"name":23,"type":24,"url":25},"Microsoft SharePoint Server","product","https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration",{"name":27,"type":24,"url":28},"Microsoft Defender","https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint",{"name":30,"type":31,"url":32},"CISA","government_agency","https://www.cisa.gov",{"name":34,"type":35},"BlueHammer","malware",{"name":37,"type":24},"Windows",{"name":39,"type":24},"Windows Internet Key Exchange Service",[41,45,49,52,55,57,59,61,63],{"id":42,"cvss_score":43,"severity":44},"CVE-2026-32201",6.5,"medium",{"id":46,"cvss_score":47,"severity":48},"CVE-2026-33825",7.8,"high",{"id":50,"cvss_score":51,"severity":16},"CVE-2026-33824",9.8,{"id":53,"cvss_score":54,"severity":48},"CVE-2026-33827",8.1,{"id":56},"CVE-2026-23666",{"id":58},"CVE-2026-32157",{"id":60},"CVE-2026-32190",{"id":62},"CVE-2026-33114",{"id":64},"CVE-2026-33826",[66,71,76,81],{"url":67,"title":68,"friendly_name":69,"website":70},"https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/","Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days","BleepingComputer","bleepingcomputer.com",{"url":72,"title":73,"friendly_name":74,"website":75},"https://www.securityweek.com/microsoft-patches-exploited-sharepoint-zero-day-and-160-other-vulnerabilities/","Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities","SecurityWeek","securityweek.com",{"url":77,"title":78,"friendly_name":79,"website":80},"https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html","Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities","The Hacker News","thehackernews.com",{"url":82,"title":83,"friendly_name":84,"website":85},"https://blog.malwarebytes.com/threat-intelligence/2026/04/april-patch-tuesday-fixes-two-zero-days-including-one-under-active-attack/","April Patch Tuesday fixes two-zero-days, including one under active attack","Malwarebytes","blog.malwarebytes.com",[87,90],{"datetime":88,"summary":89},"2026-04-14T00:00:00Z","Microsoft releases its April 2026 Patch Tuesday security updates.",{"datetime":88,"summary":91},"CISA adds CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog.",[93,97,101,105],{"id":94,"name":95,"tactic":96},"T1190","Exploit Public-Facing Application","Initial Access",{"id":98,"name":99,"tactic":100},"T1068","Exploitation for Privilege Escalation","Privilege Escalation",{"id":102,"name":103,"tactic":104},"T1210","Exploitation of Remote Services","Lateral Movement",{"id":106,"name":107,"tactic":100},"T1548","Abuse Elevation Control Mechanism",[109,114,118,122],{"id":110,"name":111,"description":112,"domain":113},"M1051","Update Software","Applying the security updates from Microsoft is the primary and most effective mitigation for all vulnerabilities discussed.","enterprise",{"id":115,"name":116,"description":117,"domain":113},"M1037","Filter Network Traffic","Restrict access to the Windows IKE service (UDP ports 500/4500) to only trusted IP ranges to reduce the attack surface for CVE-2026-33824.",{"id":119,"name":120,"description":121,"domain":113},"M1047","Audit","Enable and monitor detailed logging for SharePoint and Windows systems to detect potential exploitation attempts and post-compromise activity.",{"id":123,"name":124,"description":125,"domain":113},"M1026","Privileged Account Management","Implementing least-privilege principles can limit the impact of privilege escalation vulnerabilities like CVE-2026-33825.",[127,132],{"technique_id":128,"technique_name":129,"url":130,"recommendation":131,"mitre_mitigation_id":110},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","The most critical action is to immediately deploy Microsoft's April 2026 security updates. For the actively exploited SharePoint flaw (CVE-2026-32201), prioritize patching internet-facing servers within 24 hours. Use automated tools like WSUS, Microsoft Endpoint Configuration Manager, or third-party patch management solutions to ensure comprehensive coverage. For CVE-2026-33825, verify that Microsoft Defender's anti-malware engine has automatically updated. Establish a post-patch verification process using vulnerability scanners to confirm that the patches have been successfully applied and the vulnerabilities are remediated across all relevant assets. Treat the KEV-listed CVE as an emergency change request to bypass normal testing cycles for perimeter systems.",{"technique_id":133,"technique_name":134,"url":135,"recommendation":136,"mitre_mitigation_id":115},"D3-ITF","Inbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering","As a compensating control for CVE-2026-33824 (Windows IKE RCE), configure perimeter firewalls and network security groups to strictly limit access to UDP ports 500 and 4500. These ports should only be accessible from known and trusted peer IP addresses, such as partner VPN gateways. Deny all other inbound traffic to these ports from the internet. This network-level hardening significantly reduces the attack surface, preventing unauthenticated attackers from reaching the vulnerable service. This measure is crucial for buying time if immediate patching is not feasible and should be maintained even after patching as a defense-in-depth practice.",[],[139,144,149,154,157],{"type":140,"value":141,"description":142,"context":143,"confidence":48},"log_source","SharePoint ULS Logs","Logs for Microsoft SharePoint Server which may contain evidence of exploitation attempts against CVE-2026-32201.","SIEM and Log Management",{"type":145,"value":146,"description":147,"context":148,"confidence":44},"event_id","4688","Windows Process Creation events. Monitor for suspicious child processes spawning from MsMpEng.exe, such as powershell.exe or cmd.exe.","Windows Security Event Log",{"type":150,"value":151,"description":152,"context":153,"confidence":44},"port","500","Default port for IKE traffic. Monitor for anomalous or malformed UDP packets related to CVE-2026-33824.","Network Intrusion Detection System (NIDS) or Netflow Analysis",{"type":150,"value":155,"description":156,"context":153,"confidence":44},"4500","Default port for IKE NAT traversal. Monitor for anomalous or malformed UDP packets related to CVE-2026-33824.",{"type":158,"value":159,"description":160,"context":161,"confidence":162},"process_name","MsMpEng.exe","The core service for Microsoft Defender. Unexplained crashes or restarts could indicate instability caused by exploitation attempts for CVE-2026-33825.","Endpoint Detection and Response (EDR) or Windows System Event Log","low",[164,165,19,166,27,42,46,30,167],"Patch Tuesday","Zero-Day","SharePoint","KEV","2026-04-15T15:00:00.000Z","Advisory",{"geographic_scope":171,"industries_affected":172,"other_affected":178},"global",[173,174,175,176,177],"Technology","Government","Finance","Healthcare","Manufacturing",[179],"Users of Microsoft products","2026-04-15",5,1776358270181]