[{"data":1,"prerenderedAt":201},["ShallowReactive",2],{"article-slug-microsoft-april-2026-patch-tuesday-fixes-sharepoint-zero-day-and-164-other-flaws":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":36,"sources":54,"events":81,"mitre_techniques":90,"mitre_mitigations":107,"d3fend_countermeasures":145,"iocs":146,"cyber_observables":147,"tags":168,"extract_datetime":175,"article_type":176,"impact_scope":177,"pub_date":186,"reading_time_minutes":187,"createdAt":175,"updatedAt":188,"updates":189},"6aa90eb3-e097-4e42-a35e-09261e51a054","microsoft-april-2026-patch-tuesday-fixes-sharepoint-zero-day-and-164-other-flaws","Microsoft's Massive April Patch Tuesday Fixes Actively Exploited SharePoint Zero-Day and 164 Other Flaws","Microsoft Issues Patches for Actively Exploited SharePoint Zero-Day (CVE-2026-32201) in Massive April 2026 Update","Microsoft's April 2026 Patch Tuesday release was one of its largest ever, addressing 165 vulnerabilities across its product suite. The most urgent fix targets CVE-2026-32201, a SharePoint Server spoofing vulnerability that was actively exploited in the wild prior to the patch. CISA has added the flaw to its KEV catalog, mandating a swift response. The update also includes patches for eight critical remote code execution vulnerabilities, including a potentially 'wormable' bug in the Windows TCP/IP stack, making this a high-priority update for all organizations.","## Executive Summary\nMicrosoft's April 2026 Patch Tuesday is one of the most significant security updates in recent history, addressing a total of **165 vulnerabilities**. The centerpiece of this release is a patch for **[CVE-2026-32201](https://www.cve.org/CVERecord?id=CVE-2026-32201)**, a spoofing vulnerability in **[Microsoft SharePoint Server](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration)** that was under active exploitation before the fix became available. Due to its in-the-wild exploitation, the **[U.S. Cybersecurity and Infrastructure Security Agency (CISA)](https://www.cisa.gov)** has added it to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for immediate patching. The update also remediates eight other critical flaws, including multiple remote code execution (RCE) vulnerabilities in core Windows components like the TCP/IP stack and Internet Key Exchange (IKE) service. Given the scale of the update and the presence of an actively exploited zero-day, security teams must prioritize the deployment of these patches to mitigate significant risk.\n\n---\n\n## Vulnerability Details\nThis month's Patch Tuesday addresses a wide array of flaws, with the most notable being:\n\n*   **CVE-2026-32201 - Microsoft SharePoint Server Spoofing Vulnerability (CVSS 6.5, Actively Exploited):** This is the most critical issue this month. It's a spoofing vulnerability resulting from improper input validation. An unauthenticated attacker can exploit this flaw over a network to view and modify sensitive information. Security researchers note that such flaws in SharePoint often manifest as cross-site scripting (XSS) attacks, allowing an attacker to execute malicious scripts in the context of a victim's browser.\n\n*   **CVE-2026-33827 - Windows TCP/IP Remote Code Execution Vulnerability (CVSS 8.1, Critical):** This is a potentially \"wormable\" vulnerability. A remote, unauthenticated attacker could execute arbitrary code without any user interaction on systems where both IPv6 and IPSec are enabled. The potential for self-propagation across a network makes this extremely dangerous.\n\n*   **CVE-2026-33824 - Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability (CVSS 9.8, Critical):** This flaw in the Windows IKE service, which is used for VPN connections, could allow an unauthenticated attacker to achieve RCE on an affected server. This poses a severe risk to network perimeter security.\n\n*   **CVE-2026-33825 - Microsoft Defender Elevation of Privilege Vulnerability (CVSS 7.8, Publicly Disclosed):** This vulnerability was publicly disclosed and had a proof-of-concept exploit named \"BlueHammer\" published on GitHub prior to the patch. While exploitation may be unreliable, the public availability of the code increases the risk of attacks aiming to gain higher privileges on a compromised system.\n\n## Affected Systems\nThe vulnerabilities impact a broad range of **[Microsoft](https://www.microsoft.com/security)** products, with the most critical flaws affecting:\n- **Microsoft SharePoint Server**\n- **Windows TCP/IP Stack** (on systems with IPv6 and IPSec enabled)\n- **Windows Internet Key Exchange (IKE) Service Extensions**\n- **Microsoft Defender**\n- **Windows Active Directory**\n- **Windows Remote Desktop**\n\n## Exploitation Status\n**[CISA](https://www.cisa.gov)** has confirmed that **CVE-2026-32201** is being actively exploited in the wild. As a result, it has been added to the KEV catalog, with a directive for U.S. federal agencies to apply the patch by April 28, 2026. Additionally, **CVE-2026-33825** has been publicly disclosed with an available PoC, increasing its likelihood of exploitation.\n\n## Impact Assessment\nThe business impact of these vulnerabilities is severe. Exploitation of **CVE-2026-32201** could lead to data theft, modification of sensitive corporate information stored on SharePoint sites, and phishing campaigns launched from a trusted internal platform. A successful attack on **CVE-2026-33827** or **CVE-2026-33824** could result in a full system compromise, allowing attackers to deploy ransomware, exfiltrate data, or establish a persistent foothold for lateral movement within the corporate network. The \"wormable\" nature of the TCP/IP flaw presents a catastrophic risk of a widespread, automated outbreak similar to past incidents like WannaCry.\n\n## Cyber Observables for Detection\nSecurity teams should hunt for the following indicators:\n| Type | Value | Description |\n|---|---|---|\n| url_pattern | `/_layouts/` or `/pages/` with suspicious script tags | Potential SharePoint XSS attempts related to CVE-2026-32201. |\n| log_source | SharePoint ULS Logs & IIS Logs | Monitor for anomalous requests, especially those resulting in 401/403 errors followed by a success, or requests containing script-like syntax. |\n| network_traffic_pattern | Unusual outbound traffic from SharePoint servers | Could indicate data exfiltration or C2 communication post-compromise. |\n| event_id | `5156` (Windows Filtering Platform) | Monitor for anomalous connections related to the IKE service (UDP port 500/4500) or unusual IPv6 traffic. |\n| process_name | `MpOAV.exe` or `MsMpEng.exe` | Monitor for unexpected child processes or crashes related to Microsoft Defender, which could indicate exploitation of CVE-2026-33825. |\n\n## Detection & Response\n1.  **Vulnerability Scanning:** Immediately run authenticated vulnerability scans against all Windows assets to identify systems missing the April 2026 updates, prioritizing SharePoint servers.\n2.  **Log Analysis (D3-NTA: Network Traffic Analysis):** Scrutinize web server logs for internet-facing SharePoint servers for any unusual requests, especially those containing HTML or JavaScript syntax in URL parameters. Monitor firewall and VPN logs for anomalous IKE traffic patterns.\n3.  **Endpoint Detection and Response (EDR):** Deploy EDR queries to hunt for signs of privilege escalation related to Microsoft Defender processes. Look for `MsMpEng.exe` spawning suspicious child processes like `powershell.exe` or `cmd.exe`.\n4.  **Threat Hunting:** Proactively hunt for evidence of XSS on SharePoint sites by reviewing recently modified pages and web parts for injected scripts.\n\n## Mitigation\n1.  **Patch Immediately (D3-SU: Software Update):** The highest priority is to apply the April 2026 security updates to all internet-facing **[Microsoft SharePoint Server](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration)** instances to remediate **CVE-2026-32201**. Follow immediately with patches for servers running IKE and other critical systems.\n2.  **Network Segmentation (D3-NI: Network Isolation):** Restrict access to SharePoint management interfaces and other critical services. Ensure that IKE/IPSec endpoints are only accessible from trusted IP ranges.\n3.  **Web Application Firewall (WAF):** If patching is delayed, configure WAF rules to inspect and block suspicious requests to SharePoint containing patterns indicative of XSS or other injection attacks. This is a compensating control, not a replacement for patching.\n4.  **Disable Unnecessary Services (D3-ACH: Application Configuration Hardening):** If IPv6 is not required on specific systems, consider disabling it to reduce the attack surface for **CVE-2026-33827**. This should be carefully tested to avoid operational disruption.","Microsoft's April Patch Tuesday drops fixes for 165 flaws! 🚨 Includes a SharePoint zero-day (CVE-2026-32201) actively exploited in the wild. CISA has added it to the KEV catalog. Patch immediately! ⚠️ #PatchTuesday #SharePoint #CyberSecurity","Microsoft's April 2026 Patch Tuesday addresses 165 vulnerabilities, including an actively exploited SharePoint Server zero-day (CVE-2026-32201) and multiple critical RCE flaws.",[13,14,15],"Patch Management","Vulnerability","Cyberattack","critical",[18,22,26,30,32,34],{"name":19,"type":20,"url":21},"Microsoft","vendor","https://www.microsoft.com/security",{"name":23,"type":24,"url":25},"Microsoft SharePoint Server","product","https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration",{"name":27,"type":28,"url":29},"Cybersecurity and Infrastructure Security Agency (CISA)","government_agency","https://www.cisa.gov",{"name":31,"type":24},"Microsoft Defender",{"name":33,"type":24},"Windows TCP/IP",{"name":35,"type":24},"Windows Internet Key Exchange (IKE) Service Extensions",[37,43,48,51],{"id":38,"cvss_score":39,"cvss_version":40,"kev":41,"severity":42},"CVE-2026-32201",6.5,"3.1",true,"medium",{"id":44,"cvss_score":45,"cvss_version":40,"kev":46,"severity":47},"CVE-2026-33825",7.8,false,"high",{"id":49,"cvss_score":50,"cvss_version":40,"kev":46,"severity":47},"CVE-2026-33827",8.1,{"id":52,"cvss_score":53,"cvss_version":40,"kev":46,"severity":16},"CVE-2026-33824",9.8,[55,61,66,72,77],{"url":56,"title":57,"date":58,"friendly_name":59,"website":60},"https://securityaffairs.com/161986/security/microsoft-patch-tuesday-april-2026.html","Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day","2026-04-15","Security Affairs","securityaffairs.com",{"url":62,"title":63,"date":58,"friendly_name":64,"website":65},"https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html","Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities","The Hacker News","thehackernews.com",{"url":67,"title":68,"date":69,"friendly_name":70,"website":71},"https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/","Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days","2026-04-14","BleepingComputer","bleepingcomputer.com",{"url":73,"title":74,"date":58,"friendly_name":75,"website":76},"https://www.cybersecuritydive.com/news/microsoft-sharepoint-vulnerability-exploited/713217/","Medium-severity flaw in Microsoft SharePoint exploited","Cybersecurity Dive","cybersecuritydive.com",{"url":78,"title":79,"date":58,"website":80},"https://www.ccb.belgium.be/en/warning-microsoft-patch-tuesday-april-2026-patches-163-vulnerabilities-8-critical-154-important","Warning: Microsoft Patch Tuesday April 2026 patches 163 vulnerabilities (8 Critical, 154 Important, 1 Moderate), patch Immediately!!","ccb.belgium.be",[82,85,87],{"datetime":83,"summary":84},"2026-04-15T00:00:00Z","Microsoft releases its April 2026 Patch Tuesday update, addressing 165 vulnerabilities.",{"datetime":83,"summary":86},"CISA adds SharePoint vulnerability CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog.",{"datetime":88,"summary":89},"2026-04-28T00:00:00Z","Deadline for U.S. federal agencies to patch CVE-2026-32201 as mandated by CISA.",[91,95,99,103],{"id":92,"name":93,"tactic":94},"T1190","Exploit Public-Facing Application","Initial Access",{"id":96,"name":97,"tactic":98},"T1059.007","JavaScript","Execution",{"id":100,"name":101,"tactic":102},"T1068","Exploitation for Privilege Escalation","Privilege Escalation",{"id":104,"name":105,"tactic":106},"T1210","Exploitation of Remote Services","Lateral Movement",[108,118,127,136],{"id":109,"name":110,"d3fend_techniques":111,"description":116,"domain":117},"M1051","Update Software",[112],{"id":113,"name":114,"url":115},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","Applying the April 2026 security updates from Microsoft is the primary and most effective mitigation for all vulnerabilities discussed.","enterprise",{"id":119,"name":120,"d3fend_techniques":121,"description":126,"domain":117},"M1037","Filter Network Traffic",[122],{"id":123,"name":124,"url":125},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Restricting access to SharePoint servers and IKE/VPN endpoints from the internet to only trusted IP addresses can reduce the attack surface.",{"id":128,"name":129,"d3fend_techniques":130,"description":135,"domain":117},"M1021","Restrict Web-Based Content",[131],{"id":132,"name":133,"url":134},"D3-ITF","Inbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering","Using a Web Application Firewall (WAF) to filter malicious requests containing script tags or other signs of XSS can serve as a compensating control for the SharePoint vulnerability.",{"id":137,"name":138,"d3fend_techniques":139,"description":144,"domain":117},"M1042","Disable or Remove Feature or Program",[140],{"id":141,"name":142,"url":143},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening","Disabling IPv6 on systems where it is not explicitly required can mitigate the risk from the 'wormable' TCP/IP vulnerability (CVE-2026-33827).",[],[],[148,153,158,163],{"type":149,"value":150,"description":151,"context":152,"confidence":47},"log_source","SharePoint ULS Logs","Monitor SharePoint ULS and IIS logs for anomalous requests, especially those containing script-like syntax, which could indicate exploitation of CVE-2026-32201.","SIEM and Log Management Systems",{"type":154,"value":155,"description":156,"context":157,"confidence":42},"url_pattern","/_layouts/","Attackers may target SharePoint's layout pages with malicious payloads to exploit CVE-2026-32201. Look for unexpected parameters or script tags.","Web Application Firewall (WAF) logs, Web proxy logs",{"type":159,"value":160,"description":161,"context":162,"confidence":42},"port","500","The IKE service runs on UDP port 500. Monitor for anomalous traffic patterns or connection attempts from untrusted sources, which could indicate scanning or exploitation of CVE-2026-33824.","Firewall logs, Netflow data",{"type":164,"value":165,"description":166,"context":167,"confidence":47},"command_line_pattern","MsMpEng.exe","Monitor for the Microsoft Defender process (MsMpEng.exe) spawning unexpected child processes like cmd.exe or powershell.exe, a potential indicator of privilege escalation via CVE-2026-33825.","EDR logs, Windows Event ID 4688",[169,170,171,172,173,174,19],"Patch Tuesday","Zero-Day","SharePoint","Remote Code Execution","Spoofing","CISA KEV","2026-04-16T15:00:00.000Z","Advisory",{"geographic_scope":178,"industries_affected":179,"other_affected":184},"global",[180,181,182,183],"Technology","Government","Finance","Healthcare",[185],"Users of Microsoft products","2026-04-16",5,"2026-04-22T00:00:00Z",[190],{"update_id":191,"update_date":188,"datetime":188,"title":192,"summary":193,"sources":194},"update-1","Update 1","Detailed analysis of actively exploited SharePoint zero-day (CVE-2026-32201) with specific observables and remediation guidance.",[195,198],{"title":196,"url":197},"April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs","https://www.crowdstrike.com/blog/april-2026-patch-tuesday/",{"title":199,"url":200},"21st April 2026 Cyber Update: Microsoft's Zero Day - Record Patch Super Cycle in Review","https://www.сиbernews-centre.com/21st-april-2026-cyber-update-microsofts-zero-day-record-patch-super-cycle-in-review",1776923400378]