Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for 163 vulnerabilities in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes 8 Critical flaws, 154 Important issues, and 1 Moderate bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including Windows TCP/IP, Windows IKE Service Extensions, Active Directory, Remote Desktop Client, Microsoft Office, and Microsoft Word. Belgian authorities urged organizations to apply the updates immediately.
The most urgent issues include CVE-2026-32201, an actively exploited Microsoft SharePoint Server vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and CVE-2026-33825 in Microsoft Defender, a publicly disclosed zero-day tied to proof-of-concept code associated with the BlueHammer exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of .rdp files and improved visibility into Secure Boot certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Shadowserver finds 1,300+ SharePoint servers still unpatched after April fixes
After Microsoft's April 2026 Patch Tuesday, Shadowserver reported that more than 1,300 internet-exposed SharePoint servers remained unpatched against CVE-2026-32201. The finding highlighted continued exposure of vulnerable SharePoint Enterprise Server 2016, SharePoint Server 2019, and Subscription Edition systems despite available fixes.
Microsoft ships Windows 11 hardening updates with April 2026 patches
Alongside Patch Tuesday, Microsoft released Windows 11 cumulative updates containing security hardening changes. These included safer handling of .rdp files and improvements to Secure Boot certificate visibility.
Microsoft releases April 2026 Patch Tuesday fixes for 163 CVEs
Microsoft's April 2026 Patch Tuesday addressed 163 vulnerabilities, including eight Critical flaws, one publicly disclosed zero-day, and one vulnerability under active exploitation. The release was described as the second-largest Patch Tuesday on record.
CISA catalogs SharePoint flaw CVE-2026-32201 as actively exploited
CVE-2026-32201 in Microsoft SharePoint Server was added to CISA's Known Exploited Vulnerabilities Catalog after evidence of active exploitation in the wild. The designation elevated the flaw's urgency ahead of or alongside Microsoft's April 2026 fixes.
BlueHammer PoC publicly discloses Microsoft Defender flaw CVE-2026-33825
CVE-2026-33825 in Microsoft Defender was publicly disclosed with proof-of-concept code associated with the "BlueHammer" exploit. This made it one of the most urgent issues addressed in Microsoft's April 2026 security updates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Microsoft Patch Still Leaves 1,300 SharePoint Servers Exposed
techrepublic.com
Open sourceMicrosoft Patch Tuesday - April 2026 - TheCyberThrone
thecyberthrone.in
Open sourceWarning: Microsoft Patch Tuesday April 2026 patches 163 vulnerabilities (8 Critical, 154 Important, 1 Moderate), patch Immediately!! | CCB Belgium
ccb.belgium.be
Open sourceMicrosoft April 2026 Patch Tuesday fixes two zero days, including BlueHammer
fieldeffect.com
Open sourceCVE-2026-32201 | Tenable®
tenable.com
Open sourcePrivilege Elevation Dominates Massive Microsoft Patch Update
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug
Microsoft released fixes for **163 CVEs** across 17 product families, including **8 Critical** vulnerabilities, **1 publicly disclosed** flaw, and **1 vulnerability under active exploitation**. The exploited issue, `CVE-2026-32201`, is a **Microsoft SharePoint Server spoofing vulnerability** that can let an unauthenticated attacker impersonate a user and read or modify certain data. Microsoft also patched `CVE-2026-33825`, a **publicly disclosed Microsoft Defender elevation-of-privilege flaw** that affects systems only when Defender is enabled; the company said customers using Defender automatic updates are remediated automatically. Among the most severe issues, Microsoft highlighted `CVE-2026-33824`, a **Critical Windows Internet Key Exchange (IKE) Service Extensions remote code execution vulnerability** with a **CVSS 9.8**, and advised defenders to restrict **UDP ports 500 and 4500** until patching is complete. Elevation-of-privilege bugs made up the largest share of the release with **94 CVEs**, while **Windows** accounted for **131** of the patched vulnerabilities. Microsoft said **24 flaws** were more likely to be exploited within 30 days, **18** carried CVSS scores of **8.0 or higher**, and the release also included **80 Edge-related advisories**, most inherited from Chrome.
May 25, 2026
Microsoft fixes exploited SharePoint flaw in massive Patch Tuesday release
Microsoft released fixes for **165 vulnerabilities** across Windows, Office, SharePoint, Defender, SQL Server, Azure, .NET, and other products in one of its largest Patch Tuesday updates on record. The most urgent issue was **CVE-2026-32201**, an **actively exploited** improper input validation flaw in **SharePoint Server** that enables unauthenticated network-based spoofing and was immediately added to **CISA's Known Exploited Vulnerabilities** catalog. Microsoft also patched **CVE-2026-33825**, a publicly known **Microsoft Defender** privilege-escalation bug with proof-of-concept code, and **CVE-2026-33824**, a critical **remote code execution** flaw in **Windows IKE Service Extensions** affecting IPsec/VPN infrastructure. Researchers flagged **CVE-2026-33827** in **Windows TCP/IP** as potentially **wormable** under certain IPv6 and IPSec configurations. Other high-impact fixes include **CVE-2026-33120**, a **SQL Server remote code execution** flaw that paired with a separate privilege escalation bug (**CVE-2026-32176**) could enable full server compromise, and **CVE-2026-32220**, a **UEFI Secure Boot bypass** that could allow untrusted code to load during the boot process. The release also addressed elevation of privilege flaws across Desktop Window Manager, WinSock, TDI Translation Driver, Windows Push Notifications, Function Discovery Service, WSUS, Remote Desktop Licensing, Azure Monitor Agent, and Windows kernel components; security feature bypasses in Windows Hello, PowerShell, BitLocker, and Windows Shell; information disclosure bugs in Windows GDI, Print Spooler, Web Account Manager, UPnP Device Host, and the Windows kernel; and denial-of-service issues in .NET/Visual Studio and Windows RDBSS. Cumulative updates for Windows Server 2022 and 23H2 bundled security hardening for Kerberos, RDP, Secure Boot, and WDS, with Microsoft warning that Secure Boot certificates begin expiring in June 2026.
Apr 15, 2026
Microsoft Patches 137 Flaws, Highlighting Word Preview Pane and Netlogon RCE Risks
Microsoft released its May Patch Tuesday updates fixing 137 vulnerabilities across Windows, Office, Azure, Dynamics 365, SharePoint, Copilot, and other products, with no actively exploited zero-days or publicly disclosed flaws reported at release. The update included multiple high-severity remote code execution bugs, notably Microsoft Word flaws `CVE-2026-40361` and `CVE-2026-40364`, which can be triggered through the Preview Pane by sending a malicious document, as well as `CVE-2026-42898` in Microsoft Dynamics 365 On-Premises, `CVE-2026-42823` in Azure Logic Apps, and `CVE-2026-33109` in Azure Managed Instance for Apache Cassandra. Researchers also flagged `CVE-2026-41089` in Windows Netlogon and `CVE-2026-41096` in Windows DNS Client as especially urgent because they expose broadly deployed enterprise infrastructure to remote compromise. Microsoft’s Windows 11 cumulative updates, including `KB5089549` and `KB5087420`, delivered many of the security fixes alongside reliability and usability improvements, and Microsoft said it was not aware of new issues with the release. Coverage and advisories also showed the breadth of the month’s attack surface, with additional fixes for SharePoint Server remote code execution, Office Click-to-Run privilege escalation, Hyper-V guest-to-host escalation, Teams spoofing, Outlook for iOS tampering, and several Copilot and Visual Studio Code vulnerabilities. Security researchers said the growing volume of Microsoft disclosures may reflect increased AI-assisted vulnerability discovery, while defenders were urged to prioritize patching domain controllers, DNS-exposed Windows systems, Office deployments, and internet-facing enterprise applications.
May 25, 2026