Microsoft April 2026 Patch Tuesday: 163 Vulnerabilities, 2 Zero-Days, and What to Do About It

Reza

What Happened on April 2026 Patch Tuesday

Microsoft released patches for 163 security vulnerabilities on April 8, 2026. Eight of those are rated Critical. Two are zero-days, meaning attackers either knew about them before the patch existed or were already using them in real attacks.

That's not a typo. One hundred sixty-three vulnerabilities in a single monthly update. And this is on top of 80 additional patches for Microsoft Edge that shipped earlier in the month.

If your business runs Windows, Microsoft 365, SharePoint, or Remote Desktop - and almost every business does - this one matters. Here's a plain-language breakdown of what you need to know and what to do first.

The Two Zero-Day Vulnerabilities

Zero-days get the most attention because they represent flaws that attackers can exploit before a fix is available. This month, there are two.

CVE-2026-32201: SharePoint Server Spoofing (Actively Exploited)

This is the bigger concern. CVE-2026-32201 is an improper input validation flaw in Microsoft SharePoint Server. It allows an unauthenticated attacker to spoof a legitimate user on the network, potentially reading or modifying sensitive data.

Microsoft confirmed this vulnerability is being actively exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog and set a federal patching deadline of April 28, 2026.

The CVSS score is 6.5 (Important, not Critical), which might make it seem like a lower priority. It is not. Active exploitation trumps severity ratings. If your organization uses SharePoint Server on-premises, patch this immediately.

What makes this one tricky: in a SharePoint environment, spoofing a user means an attacker could plant false documents, alter shared files, or use the foothold for social engineering. Think of it as someone gaining a trusted seat at your company's collaboration table.

CVE-2026-33825: Microsoft Defender Elevation of Privilege (Publicly Disclosed)

CVE-2026-33825 targets Microsoft Defender itself, the built-in antivirus and anti-malware platform on Windows. An authenticated attacker who already has local access can exploit an insufficient access control flaw to escalate their privileges to SYSTEM level.

SYSTEM is the highest privilege level on a Windows machine. At that point, the attacker can disable security tools, install persistent malware, harvest credentials, and move laterally to other machines on the network. The CVSS score is 7.8.

This vulnerability has been publicly disclosed, meaning the technical details are out there. A proof-of-concept demonstrating SYSTEM-level privilege escalation has already been shared. That typically accelerates exploitation.

The silver lining: if your Defender installations are set to receive automatic updates (which they should be), this patch deploys automatically. If Defender is disabled on a system, that system is not vulnerable to this specific flaw.

The Critical Vulnerabilities You Should Know About

Beyond the zero-days, eight vulnerabilities earned a Critical severity rating. Several of these deserve immediate attention.

CVE-2026-33824: Windows IKE Service - CVSS 9.8

This is the highest-scored vulnerability this month. CVE-2026-33824 affects the Windows Internet Key Exchange (IKE) service, which handles secure IPsec tunnel negotiation for VPN connections and encrypted network traffic.

An unauthenticated attacker can send specially crafted packets to any Windows machine running IKE version 2 and potentially execute arbitrary code remotely. No user interaction required. No authentication needed.

If your business uses Windows-based VPN or IPsec, this is the one to patch first. Microsoft found this vulnerability internally before it was exploited in the wild, but with a 9.8 CVSS score and no authentication requirement, it is only a matter of time before exploit code shows up.

Temporary mitigation: block or restrict inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE. For systems that do, configure those ports to accept traffic only from known peer addresses.

CVE-2026-33827: Windows TCP/IP Remote Code Execution

CVE-2026-33827 is a race condition in Windows TCP/IP that lets an unauthenticated attacker send a specially crafted IPv6 packet to a Windows machine with IPSec enabled, leading to remote code execution. If your network uses IPv6 with IPSec, prioritize this patch.

CVE-2026-33826: Windows Active Directory RCE

CVE-2026-33826 allows an authenticated attacker to execute code on an adjacent network by sending a specially crafted RPC call to an Active Directory host. For any business running on-premises Active Directory (which is most of them), this needs to be addressed quickly.

Microsoft Office: Word, PowerPoint, and the Preview Pane Problem

Three Critical-severity RCE vulnerabilities hit Microsoft Office this month: CVE-2026-32190 (PowerPoint), CVE-2026-33114, and CVE-2026-33115 (Word).

All three can be triggered through the Preview Pane in Outlook or File Explorer. That means a user does not even need to open a malicious document - just previewing it is enough to execute code.

If your team regularly receives email attachments (and who does not), update Microsoft Office and Microsoft 365 apps as soon as possible.

Remote Desktop Gets a Security Upgrade

There is one positive development worth highlighting. CVE-2026-26151 is technically a "spoofing vulnerability," but it actually represents a security improvement. Starting this month, the Remote Desktop Connection app shows new security warnings when users open RDP files.

Remote Desktop Protocol has been one of the most common initial access vectors for ransomware attacks for years. Adding friction with security warnings when opening RDP files is a welcome change. Make sure your systems pick up this update so your team gets the benefit of the improved warnings.

Adobe Patches: Do Not Overlook These

Adobe released 12 security advisories fixing 56 vulnerabilities across Acrobat Reader, Illustrator, Photoshop, ColdFusion, Bridge, and several other products. Thirty-eight of those vulnerabilities are rated Critical.

If your business uses Adobe Acrobat Reader (and most do for PDF handling), update it. Sophos flagged a Critical-severity prototype pollution bug in Adobe Reader and Acrobat that is worth paying attention to.

What This Means for Small and Mid-Sized Businesses

Here is the reality: 163 patches is a lot. No small business IT team is going to individually assess every single one. That is fine. Here is what matters:

Patch Priority List (Do These First)

  1. SharePoint Server - CVE-2026-32201 is actively exploited. If you run on-prem SharePoint, this is number one.
  2. Windows IKE/VPN systems - CVE-2026-33824 (CVSS 9.8) has no authentication requirement. Any internet-facing Windows VPN server is exposed.
  3. Microsoft Office and 365 apps - Three Critical RCEs via Preview Pane. Your team receives email attachments daily.
  4. Microsoft Defender - CVE-2026-33825 should auto-update, but verify it did. Check your Defender version.
  5. Active Directory servers - CVE-2026-33826 if you run on-prem AD.
  6. Adobe Acrobat Reader - 38 Critical vulnerabilities. Update it.
  7. Everything else - Apply remaining Windows updates during your next maintenance window.

How to Check Your Windows Update Status

For individual machines:

  1. Open Settings and go to Windows Update
  2. Click Check for updates
  3. Install any available updates and restart when prompted
  4. Check again after restart to confirm the status shows "You're up to date"

For businesses using managed IT services, your provider should already be rolling these patches through your environment. If you have not heard from them about this month's update cycle, ask.

Why Monthly Patching Is Not Optional Anymore

Some businesses still treat patching as something that happens "when we get around to it." The numbers tell a different story.

April 2026 alone brought 163 vulnerabilities, including actively exploited zero-days. Malwarebytes noted this month makes patching look more like "patch the entire stack" - servers, endpoints, network gear, browsers, and mobile devices.

Microsoft identified 24 vulnerabilities this month that they expect to be exploited within the next 30 days. Twenty-four. That is not a theoretical risk - it is a countdown.

For businesses in regulated industries like healthcare (HIPAA) or automotive (FTC Safeguards Rule), failing to patch known vulnerabilities is not just a security risk. It is a compliance violation with real financial penalties.

The Case for Automated Patch Management

Manual patching does not scale. Even a 20-person office with a mix of desktops, laptops, and a server or two faces a real challenge keeping everything current every month.

Automated patch management solves this by testing and deploying patches on a schedule, with reporting that confirms everything actually installed correctly. It also handles the Adobe, Chrome, and third-party application updates that are easy to forget but just as important.

Elevation of Privilege: The Dominant Threat Category

Here is an interesting pattern in this month's data: 93 of 163 vulnerabilities (57%) are elevation of privilege flaws. That is not a coincidence.

Modern attacks follow a predictable pattern: gain initial access through phishing or an exposed service, then escalate privileges to take over the machine, then move laterally across the network. Elevation of privilege vulnerabilities are the middle step, and attackers need them.

This is why endpoint detection and response (EDR) tools matter. Traditional antivirus catches known malware. EDR watches for the behavior patterns that indicate privilege escalation and lateral movement, even when the specific exploit is brand new.

It is also why security awareness training matters. The initial access often comes from a phishing email. If your team can spot the phish, the attacker never gets the chance to escalate.

Looking Ahead

Sophos analysts observed that April and October tend to be high-volume patch months historically. The cumulative elevation of privilege total jumped 73% in April alone. If that trend continues, businesses need a patching process that can handle these surges without falling behind.

May's Patch Tuesday lands on May 12, 2026. Set a calendar reminder now.

FAQ

How quickly should my business apply the April 2026 patches?

The SharePoint zero-day (CVE-2026-32201) should be patched immediately if you run on-prem SharePoint, since it is actively exploited. CISA set a deadline of April 28. For the IKE vulnerability (CVE-2026-33824, CVSS 9.8), patch any internet-facing VPN servers within days. For everything else, aim to complete patching within two weeks of release. Microsoft expects 24 of this month's vulnerabilities to be exploited within 30 days.

Does this affect Microsoft 365 cloud users or only on-premises?

Both. The SharePoint zero-day specifically targets SharePoint Server (on-premises). However, the Office RCE vulnerabilities (Word, PowerPoint via Preview Pane) affect both Microsoft 365 and on-premises Office installations. Windows vulnerabilities affect any machine running Windows, regardless of whether you use cloud or on-prem services. Microsoft 365 cloud services are generally patched by Microsoft, but client-side apps still need updates on your machines.

Can I just rely on Windows automatic updates?

Partially. Windows Update handles OS patches, and Defender updates automatically if configured correctly. But it does not cover Adobe products, third-party software, or some Microsoft products like SharePoint Server. Businesses should verify updates actually installed, since auto-updates can fail silently due to disk space issues, pending restarts, or policy conflicts. A managed patch management solution provides the verification layer that auto-updates alone lack.

What should I do if my business cannot patch right away?

For the IKE vulnerability (CVE-2026-33824), you can temporarily mitigate risk by blocking or restricting inbound UDP traffic on ports 500 and 4500. For the Office Preview Pane vulnerabilities, you can disable the Preview Pane in Outlook and File Explorer as a short-term measure. For SharePoint, restrict network access to your SharePoint server to trusted IPs if possible. These are stopgaps, not solutions. Plan to patch within the CISA deadline.

How does patch management tie into compliance requirements?

HIPAA, the FTC Safeguards Rule, PCI DSS, and most cyber insurance policies require timely patching of known vulnerabilities. When a vendor releases a patch for an actively exploited vulnerability, the clock starts ticking on your obligation to apply it. Failing to patch CVE-2026-32201 after CISA's April 28 deadline, for example, could be cited in a compliance audit or insurance claim denial. Documented patch management processes are a baseline expectation for any compliance framework.

---

Keeping up with monthly patch cycles is one of those IT tasks that seems routine until the month you skip it. If your business needs help building a patching process that actually works, or you want someone to handle it entirely, we are happy to help. You can also reach us at (949) 381-1010.

Check our other posts

Cybersecurity insider threat concept with broken digital lock
by
Reza

A Ransomware Negotiator Was Working for the Hackers. Here's How to Vet Your IT Security Vendors.

April 21, 2026
ClickFix phishing attack concept with fake verification popup on computer screen
by
Reza

ClickFix Attacks: The Phishing Trick That Gets You to Install Your Own Malware

April 16, 2026
Cybersecurity endpoint protection concept
by
Reza

BYOVD Ransomware: How Hackers Are Bypassing Your Endpoint Protection

April 14, 2026
From remote IT support in Orange County to full business IT support services, we make technology simple, secure, and cost-effective.
Main Pages
Infrastructure and Cloud
Managed IT Services
Professional IT Services
IT Security
Industries
Areas We Serve
Other Pages
About usBlogRemote SupportTestimonialContact UsSitemapQR
Let's Talk
(949) 381-1010
info@burgitech.com
California
2522 Chambers Rd. Suite 100, Tustin CA 92780
10535 Foothill Blvd. Suite 365 Rancho Cucamonga, CA 91730
Washington
600 1st Ave. Suite 102 Seattle, WA 98104
Arizona
4742 N 24th St Suite 300 Phoenix, AZ 85016
Want to know more? Find our Privacy Policy, Disclaimer and Terms of Services.
©2025 Burgi Technologies
""