Microsoft has released its latest Patch Tuesday security updates, addressing a total of 169 vulnerabilities across its software ecosystem. Among these is a zero-day vulnerability in SharePoint Server that is currently being exploited in real-world attacks.
Breakdown of Vulnerabilities
Out of the 169 identified flaws:
- 157 are classified as Important
- 8 are marked Critical
- 3 fall under Moderate severity
- 1 is rated Low
A large portion of these issues, around 93 vulnerabilities, are related to privilege escalation. Other categories include:
- 21 information disclosure flaws
- 21 remote code execution (RCE) vulnerabilities
- 14 security feature bypass issues
- 10 spoofing vulnerabilities
- 9 denial-of-service (DoS) flaws
Additionally, four vulnerabilities not directly issued by Microsoft affect external technologies such as AMD, Node.js, Windows Secure Boot, and Git for Windows.
Microsoft also confirmed that this update comes after fixing 78 additional issues in its Chromium-based Edge browser over the past month.
Second Largest Patch Tuesday Release
This update stands as the second-largest Patch Tuesday release in Microsoft’s history, just behind October 2025, which recorded 183 vulnerabilities.
Security experts note that 2026 may continue the trend of exceeding 1,000 patched vulnerabilities annually. Privilege escalation flaws remain the most common, accounting for 57% of all fixes this month, while RCE vulnerabilities have dropped to around 12%.
SharePoint Zero-Day Under Active Exploitation
The most critical concern is CVE-2026-32201, a spoofing vulnerability affecting Microsoft SharePoint Server.
image import
This flaw is caused by improper input validation, allowing attackers to impersonate trusted content over a network. Successful exploitation may allow attackers to:
- Access sensitive data
- Modify information
- Mislead users through fake interfaces
However, it does not directly impact system availability.
Although Microsoft discovered the issue internally, details about how the attacks are being carried out and who is behind them remain unclear.
Due to active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch it before April 28, 2026.
Microsoft Defender Privilege Escalation Vulnerability
Another important issue is CVE-2026-33825, a privilege escalation flaw in Microsoft Defender with a CVSS score of 7.8.
This vulnerability allows attackers with limited access to elevate their privileges locally due to insufficient access control mechanisms.
Microsoft stated that:
- The fix is automatically applied via Defender updates
- Systems with Defender disabled are not affected
This issue is linked to a publicly disclosed exploit known as BlueHammer, which appeared on GitHub earlier in April 2026.
BlueHammer Exploit Details
The BlueHammer exploit leverages Windows features such as:
- Volume Shadow Copy
- Cloud Files callbacks
- Opportunistic locks (oplocks)
image import
By abusing these mechanisms, attackers can:
- Access sensitive registry files (SAM, SYSTEM, SECURITY)
- Extract NTLM password hashes
- Gain administrative control
- Execute commands with SYSTEM-level privileges
Although security researchers confirmed that the exploit has now been patched, some related behaviors may still exist.
Critical Remote Code Execution in Windows IKE Service
One of the most severe vulnerabilities addressed is CVE-2026-33824, a remote code execution flaw in the Windows Internet Key Exchange (IKE) Service Extensions, with a CVSS score of 9.8.
Attackers can exploit this flaw by sending specially crafted network packets to systems with IKEv2 enabled.
image import
This vulnerability is particularly dangerous because:
- It requires no user interaction
- It targets systems exposed to the internet
- It can lead to complete system compromise
Organizations using VPN or IPsec services are especially at risk, as these rely on IKE protocols for secure communication.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
