Microsoft's April 2026 Patch Tuesday has delivered one of the most significant security updates in the company's history, addressing 165 vulnerabilities — making it the second-largest Patch Tuesday ever recorded, just behind October 2025's record-breaking release. Among the fixes is a critical SharePoint Server zero-day already being exploited in the wild, along with 19 additional vulnerabilities rated as likely to be weaponized in future attacks.

CVE-2026-32201: The Exploited SharePoint Zero-Day

The headline vulnerability this cycle is CVE-2026-32201, a spoofing flaw in Microsoft Office SharePoint Server that has been confirmed as actively exploited before a patch was available. Microsoft classified it as "important" with a CVSS score of 6.5.

According to Microsoft's advisory, improper input validation in SharePoint allows an unauthorized remote attacker to perform spoofing over a network, potentially enabling access to sensitive information and modification of that data. The relatively moderate CVSS score belies the real-world risk — the flaw is already being leveraged in attacks.

"Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network." — Microsoft Security Advisory

Security researchers note that the brief and somewhat vague description from Microsoft raises the possibility that CVE-2026-32201 is being chained with other vulnerabilities to achieve broader compromise. The identity of the threat actors exploiting this flaw and their motivations remain unknown at the time of publication.

CISA Acts: Federal Patch Deadline Set

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) moved quickly, adding CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog and mandating that federal civilian agencies apply the patch by April 28, 2026. This is consistent with the agency's posture on SharePoint flaws — the KEV catalog already listed 10 prior SharePoint vulnerabilities before this addition.

Organizations outside the federal government are strongly advised to treat this deadline as a benchmark and prioritize patching SharePoint Server deployments immediately, particularly those exposed to the internet or used to handle sensitive internal data.

19 Vulnerabilities Flagged as "Exploitation More Likely"

Beyond the confirmed zero-day, Microsoft assigned its "exploitation more likely" rating to 19 additional vulnerabilities patched this month. This rating signals that Microsoft's own analysts believe these flaws are attractive targets that could realistically be weaponized in the near term.

Among the most notable in this group is CVE-2026-33825, a privilege escalation vulnerability in Microsoft Defender. Unlike most Patch Tuesday entries, this flaw was publicly disclosed before patches were made available — a scenario that dramatically increases exploitation risk. Security researchers believe CVE-2026-33825 corresponds to the vulnerability publicly nicknamed "BlueHammer", which a disgruntled security researcher reportedly released ahead of any coordinated disclosure process.

Windows Components at Elevated Risk

The broader pool of vulnerabilities flagged as more likely to be exploited spans a wide range of core Windows components. Organizations should prioritize assessment and patching across the following affected subsystems:

• Authentication & Identity: Active Directory, Windows Hello
• Remote Access: Remote Desktop Services
• Storage & File Systems: Storage Space Controllers, Common Log File System Driver, BitLocker
• Networking: TCP/IP, TDI Translation Driver, UPnP Device Host
• System Components: Boot Loader, Windows Search, Management Console, COM, Shell, Function Discovery Service, Desktop Window Manager

The sheer breadth of affected components underscores the importance of treating this Patch Tuesday as a high-priority update cycle rather than routine maintenance.

Historical Context: The Second-Largest Patch Tuesday Ever

Satnam Narang, Senior Staff Research Engineer at Tenable, confirmed that this release is the second-largest Patch Tuesday in Microsoft's history by CVE count, narrowly behind the October 2025 release. Patching fatigue is a real concern for security teams, but a release of this scale demands structured triage: prioritize actively exploited vulnerabilities and those rated "exploitation more likely" first, then work through the remainder by exposure and criticality.

Adobe Also Ships Major Security Update

Coinciding with Microsoft's release, Adobe published fixes for more than 50 vulnerabilities spanning 11 products as part of its own April 2026 security update cycle. Organizations running Adobe software alongside Microsoft products should incorporate these patches into the same emergency patching window where possible to reduce the overall remediation timeline.

Conclusion: Prioritize Now, Especially SharePoint

April 2026's Patch Tuesday demands immediate attention from every security and IT operations team. The active exploitation of CVE-2026-32201 in SharePoint, combined with the public disclosure of CVE-2026-33825 (BlueHammer) in Microsoft Defender and 17 additional high-risk vulnerabilities, creates a dense and urgent remediation workload.

Start with SharePoint Server — apply the patch, check CISA's KEV catalog for guidance, and review network logs for indicators of exploitation. Then move to Defender and the broader Windows component stack. With 165 CVEs in a single release, there is no room for delay on the highest-severity items. Use vendor CVSS scores and Microsoft's own exploitability ratings as your triage framework, and treat the April 28 federal deadline as a hard target for your own patching timeline.