Microsoft fixes exploited SharePoint flaw in massive Patch Tuesday release
Microsoft released fixes for 165 vulnerabilities across Windows, Office, SharePoint, Defender, SQL Server, Azure, .NET, and other products in one of its largest Patch Tuesday updates on record. The most urgent issue was CVE-2026-32201, an actively exploited improper input validation flaw in SharePoint Server that enables unauthenticated network-based spoofing and was immediately added to CISA's Known Exploited Vulnerabilities catalog. Microsoft also patched CVE-2026-33825, a publicly known Microsoft Defender privilege-escalation bug with proof-of-concept code, and CVE-2026-33824, a critical remote code execution flaw in Windows IKE Service Extensions affecting IPsec/VPN infrastructure. Researchers flagged CVE-2026-33827 in Windows TCP/IP as potentially wormable under certain IPv6 and IPSec configurations.
Other high-impact fixes include CVE-2026-33120, a SQL Server remote code execution flaw that paired with a separate privilege escalation bug (CVE-2026-32176) could enable full server compromise, and CVE-2026-32220, a UEFI Secure Boot bypass that could allow untrusted code to load during the boot process. The release also addressed elevation of privilege flaws across Desktop Window Manager, WinSock, TDI Translation Driver, Windows Push Notifications, Function Discovery Service, WSUS, Remote Desktop Licensing, Azure Monitor Agent, and Windows kernel components; security feature bypasses in Windows Hello, PowerShell, BitLocker, and Windows Shell; information disclosure bugs in Windows GDI, Print Spooler, Web Account Manager, UPnP Device Host, and the Windows kernel; and denial-of-service issues in .NET/Visual Studio and Windows RDBSS. Cumulative updates for Windows Server 2022 and 23H2 bundled security hardening for Kerberos, RDP, Secure Boot, and WDS, with Microsoft warning that Secure Boot certificates begin expiring in June 2026.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
JPCERT/CC issues alert on Microsoft's April 2026 updates
On April 15, 2026, JPCERT/CC published advisory JPCERT-AT-2026-0010 warning about Microsoft's April 2026 security updates. The alert specifically noted active exploitation of SharePoint flaw CVE-2026-32201 and urged organizations to apply updates promptly.
CISA adds SharePoint CVE-2026-32201 to KEV catalog
Shortly after disclosure, CISA added the actively exploited SharePoint flaw CVE-2026-32201 to its Known Exploited Vulnerabilities catalog. Reporting said the agency also directed FCEB agencies to remediate the issue by April 28, 2026.
Microsoft fixes BitLocker bypass vulnerability CVE-2026-27913
Microsoft patched CVE-2026-27913, an Important Windows BitLocker security feature bypass vulnerability that could undermine Secure Boot and the boot chain with local access. Microsoft said there was no evidence of active exploitation or public exploit code, but assessed exploitation as more likely in the near future.
Microsoft patches critical Windows IKE RCE CVE-2026-33824
Microsoft's April 14 updates included CVE-2026-33824, a critical remote code execution vulnerability in Windows Internet Key Exchange (IKE) Service Extensions. Researchers highlighted it as especially dangerous for internet-facing VPN and IPsec environments because of its low complexity and pre-authentication reachability.
Public exploit code highlighted for Defender CVE-2026-33825
At the time of Microsoft's April 14 release, security reporting noted that CVE-2026-33825 already had public proof-of-concept or exploit code available, including code linked by outside researchers to GitHub. Microsoft assessed exploitation as more likely, though no in-the-wild abuse was reported.
Microsoft patches publicly known Defender flaw CVE-2026-33825
Microsoft patched CVE-2026-33825, a publicly known elevation-of-privilege vulnerability in Microsoft Defender that could let a low-privileged local attacker gain SYSTEM privileges. The issue affected Defender platform versions up to 4.18.26020.6 and was fixed in version 4.18.26030.3011.
Microsoft ships SharePoint security updates for CVE-2026-32201
Microsoft released SharePoint security updates on April 14, 2026 to remediate CVE-2026-32201, including KB5002861 for SharePoint Server 2016 and KB5002853 for SharePoint Server Subscription Edition; reporting also noted fixes for SharePoint Server 2019. Microsoft advised Workflow Manager prerequisites for some deployments before applying the updates.
Microsoft discloses exploited SharePoint zero-day CVE-2026-32201
Microsoft disclosed CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability caused by improper input validation, and said it was being actively exploited in the wild. The flaw can be exploited over the network without authentication to spoof trusted SharePoint content and potentially expose or alter sensitive information.
Microsoft releases April 2026 Patch Tuesday fixes
On April 14, 2026, Microsoft published its April Patch Tuesday security updates, addressing roughly 165-169 vulnerabilities across Windows, Office, SharePoint, SQL Server, Defender, and other products. Multiple reports described it as Microsoft's second-largest monthly patch release on record.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Windows BitLocker Vulnerability Allows Attacker to Bypass Security Feature
cybersecuritynews.com
Open sourceMicrosoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities
thehackernews.com
Open sourceMicrosoft Defender 0-Day Vulnerability Enables Privilege Escalation Attack
cybersecuritynews.com
Open sourceMicrosoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day
securityaffairs.com
Open sourceCVE-2026-26151 - Security Update Guide - Microsoft - Remote Desktop Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-0390 - Security Update Guide - Microsoft - UEFI Secure Boot Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-27931 - Security Update Guide - Microsoft - Windows GDI Information Disclosure Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-26160 - Security Update Guide - Microsoft - Remote Desktop Licensing Service Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
Apr 22, 2026
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug
Microsoft released fixes for **163 CVEs** across 17 product families, including **8 Critical** vulnerabilities, **1 publicly disclosed** flaw, and **1 vulnerability under active exploitation**. The exploited issue, `CVE-2026-32201`, is a **Microsoft SharePoint Server spoofing vulnerability** that can let an unauthenticated attacker impersonate a user and read or modify certain data. Microsoft also patched `CVE-2026-33825`, a **publicly disclosed Microsoft Defender elevation-of-privilege flaw** that affects systems only when Defender is enabled; the company said customers using Defender automatic updates are remediated automatically. Among the most severe issues, Microsoft highlighted `CVE-2026-33824`, a **Critical Windows Internet Key Exchange (IKE) Service Extensions remote code execution vulnerability** with a **CVSS 9.8**, and advised defenders to restrict **UDP ports 500 and 4500** until patching is complete. Elevation-of-privilege bugs made up the largest share of the release with **94 CVEs**, while **Windows** accounted for **131** of the patched vulnerabilities. Microsoft said **24 flaws** were more likely to be exploited within 30 days, **18** carried CVSS scores of **8.0 or higher**, and the release also included **80 Edge-related advisories**, most inherited from Chrome.
May 25, 2026
Microsoft Patch Tuesday Fixes 79 CVEs, Including Exploited Windows Flaws
Microsoft released fixes for **79 vulnerabilities** across 11 product families, including **7 Critical** issues and multiple flaws already exploited or associated with exploited conditions. The most significant actively exploited bugs were **`CVE-2024-38014`** in **Windows Installer** and **`CVE-2024-38217`** in **Windows Mark of the Web**, while **`CVE-2024-43491`** in the **Windows Update servicing stack** was highlighted as a high-severity risk for supported **Windows 10 version 1507 LTSB** and **IoT Enterprise 2015 LTSB** systems. Windows accounted for **47** of the patched CVEs, with **SQL Server** receiving fixes for **13** vulnerabilities and **SharePoint** affected by several high-risk remote code execution flaws that Microsoft said were more likely to be exploited within 30 days. Microsoft also noted that **Windows 11 24H2** is affected by **29** CVEs, including two already exploited in the wild, and the release referenced three **Adobe** vulnerabilities, including **`CVE-2024-41869`**, a critical **Adobe Reader** use-after-free flaw for which a workable exploit was already available.
Jan 1, 2026