Microsoft's April 2026 Patch Tuesday: Second-Largest Ever

Microsoft has released its April 2026 Patch Tuesday updates, addressing a staggering 165 vulnerabilities — making it the second-largest Patch Tuesday on record, just behind the record set in October 2025. Among the fixes is a critical SharePoint Server zero-day that has already been exploited in the wild, raising urgent concerns for organizations running on-premises SharePoint deployments. Security teams should treat this cycle as a high-priority patching event.

CVE-2026-32201: The Actively Exploited SharePoint Zero-Day

The headline vulnerability of this Patch Tuesday is CVE-2026-32201, a spoofing flaw in Microsoft Office SharePoint Server. Despite carrying a CVSS score of 6.5 and an "Important" severity rating — lower than what some might expect for an actively exploited flaw — the real-world risk is significantly elevated due to confirmed in-the-wild exploitation.

Microsoft's advisory describes the issue as improper input validation:

"Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network."

An attacker successfully exploiting this vulnerability may be able to access sensitive information and alter it without authorization. While the identity of the threat actors exploiting CVE-2026-32201 remains unknown, security researchers have noted that the brief description leaves open the possibility that this flaw is being chained with other vulnerabilities to increase impact — a common tactic among sophisticated threat actors targeting enterprise environments.

CISA Adds CVE-2026-32201 to the KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog, and federal agencies have been directed to apply the patch by April 28, 2026. This is not the first time SharePoint has appeared in the KEV list — the catalog now includes 10 SharePoint vulnerabilities in total, underscoring how frequently SharePoint flaws are weaponized by attackers.

19 Vulnerabilities Rated "Exploitation More Likely"

Beyond the confirmed zero-day, Microsoft flagged 19 additional vulnerabilities with an exploitability rating of "Exploitation More Likely," indicating a credible risk of these being targeted in near-term attacks. Security teams should prioritize these alongside CVE-2026-32201.

Components covered by these higher-risk patches include:

  • Windows Boot Loader
  • Active Directory
  • Remote Desktop
  • Windows Hello
  • Storage Space Controllers
  • Windows Search
  • TDI Translation Driver
  • BitLocker
  • Management Console
  • TCP/IP stack
  • Common Log File System Driver
  • UPnP Device Host
  • COM and Shell components
  • Function Discovery Service
  • Desktop Window Manager

The breadth of affected components reflects just how large the attack surface of a modern Windows environment can be — from authentication and networking to UI rendering and storage.

CVE-2026-33825: The "BlueHammer" Microsoft Defender Flaw

One vulnerability that stands out among the "Exploitation More Likely" candidates is CVE-2026-33825, a privilege-escalation vulnerability in Microsoft Defender. What makes this flaw particularly concerning is that it was publicly disclosed before patches were available — a scenario sometimes called a zero-day disclosure or "exploit in the wild without a patch."

This vulnerability is widely believed to be the flaw dubbed "BlueHammer", which a disgruntled security researcher reportedly made public before coordinating with Microsoft. Full public disclosure of an unpatched vulnerability dramatically increases exploitation risk, as it hands potential attackers a detailed roadmap. Organizations relying on Microsoft Defender as a core endpoint protection layer should treat this patch as urgent.

Adobe Also Joins Patch Tuesday With 50+ Fixes

Microsoft wasn't the only major vendor releasing patches this cycle. Adobe patched more than 50 vulnerabilities across 11 products as part of its coordinated Patch Tuesday release. Organizations using Adobe software in their environments — particularly in enterprise or creative workflows — should include Adobe's updates in their patching prioritization alongside Microsoft's.

What This Means for Security Teams

With 165 CVEs addressed in a single release cycle, this Patch Tuesday demands a structured and risk-based response. Here is how security teams should approach it:

  • Immediately patch CVE-2026-32201 on all SharePoint Server instances — active exploitation is confirmed and the CISA deadline is April 28.
  • Prioritize CVE-2026-33825 given its public disclosure status and the central role Microsoft Defender plays in most enterprise security stacks.
  • Review the full list of 19 "Exploitation More Likely" CVEs and map them against your environment's exposed Windows components.
  • Include Adobe patches in your deployment schedule to close additional attack surface.
  • Monitor CISA's KEV catalog for any additional additions from this cycle, as exploitation activity may surface in coming days.

Conclusion

April 2026's Patch Tuesday is a landmark release that demands immediate attention from every organization running Microsoft technologies. The active exploitation of CVE-2026-32201 in SharePoint Server, the public disclosure of the BlueHammer Defender flaw, and the sheer volume of patches — 165 CVEs in a single cycle — paint a clear picture: attackers are aggressive, patch windows are shrinking, and the cost of delay is rising. Treat this cycle as a high-severity event, patch exposed systems without delay, and use the CISA KEV catalog as your floor, not your ceiling.