Microsoft Patches 163 Flaws Including Exploited SharePoint Bug
Microsoft released fixes for 163 CVEs across 17 product families, including 8 Critical vulnerabilities, 1 publicly disclosed flaw, and 1 vulnerability under active exploitation. The exploited issue, CVE-2026-32201, is a Microsoft SharePoint Server spoofing vulnerability that can let an unauthenticated attacker impersonate a user and read or modify certain data. Microsoft also patched CVE-2026-33825, a publicly disclosed Microsoft Defender elevation-of-privilege flaw that affects systems only when Defender is enabled; the company said customers using Defender automatic updates are remediated automatically.
Among the most severe issues, Microsoft highlighted CVE-2026-33824, a Critical Windows Internet Key Exchange (IKE) Service Extensions remote code execution vulnerability with a CVSS 9.8, and advised defenders to restrict UDP ports 500 and 4500 until patching is complete. Elevation-of-privilege bugs made up the largest share of the release with 94 CVEs, while Windows accounted for 131 of the patched vulnerabilities. Microsoft said 24 flaws were more likely to be exploited within 30 days, 18 carried CVSS scores of 8.0 or higher, and the release also included 80 Edge-related advisories, most inherited from Chrome.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CISA adds exploited Excel flaw CVE-2009-0238 to KEV catalog
CISA added CVE-2009-0238, a critical Microsoft Excel remote code execution vulnerability originally disclosed in 2009, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency gave federal civilian executive branch agencies two weeks to remediate the flaw, which is triggered by opening a specially crafted Excel file.
Microsoft warns on critical IKE RCE CVE-2026-33824
Microsoft patched CVE-2026-33824, a Critical Windows Internet Key Exchange Service Extensions remote code execution vulnerability with a CVSS score of 9.8. Microsoft recommended restricting UDP ports 500 and 4500 until patching could be completed.
Microsoft discloses and mitigates Defender EoP flaw CVE-2026-33825
Microsoft addressed CVE-2026-33825, a publicly disclosed elevation-of-privilege vulnerability in Microsoft Defender. The company noted that affected systems are only vulnerable when Defender is enabled and that customers using Defender automatic updates are remediated automatically.
Microsoft patches exploited SharePoint spoofing flaw CVE-2026-32201
As part of the April 2026 Patch Tuesday release, Microsoft fixed CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability that was already under active exploitation. The flaw could allow an unauthenticated attacker to impersonate a user and read or modify certain data.
Microsoft releases April 2026 Patch Tuesday updates
Microsoft issued its April 2026 Patch Tuesday security release, addressing 163 CVEs and 88 advisories across 17 product families. The release included 8 Critical vulnerabilities, 1 publicly disclosed flaw, and 1 vulnerability already being exploited in the wild.
Microsoft releases March 2026 Patch Tuesday updates
Microsoft issued its March 2026 Patch Tuesday security updates. This was a separate monthly security release occurring between the February and April 2026 Patch Tuesday events already captured in the timeline.
Microsoft releases February 2026 Patch Tuesday updates
Microsoft issued its February 2026 Patch Tuesday security updates. This was a separate monthly security release occurring between the January and April 2026 Patch Tuesday events already captured in the timeline.
Microsoft fixes Windows info-disclosure zero-day in January Patch Tuesday
Microsoft's January 2026 Patch Tuesday included a fix for a Windows information-disclosure zero-day that drew a CISA alert. This was a distinct Patch Tuesday development preceding the April 2026 vulnerabilities already in the timeline.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Microsoft addresses 163 CVEs, 88 advisories for April Patch Tuesday | SOPHOS
sophos.com
Open sourceAncient Excel bug comes out of retirement for active attacks
theregister.com
Open sourceMicrosoft Patch Tuesday April 2026. - SANS ISC
isc.sans.edu
Open sourceMicrosoft's massive Patch Tuesday: It's raining bugs
theregister.com
Open sourceMicrosoft Patch Tuesday March 2026 - SANS Internet Storm Center
isc.sans.edu
Open sourceMicrosoft Patch Tuesday - February 2026 - SANS ISC
isc.sans.edu
Open sourceWindows info-disclosure 0-day bug gets a fix and CISA alert
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
Apr 22, 2026
Microsoft fixes exploited SharePoint flaw in massive Patch Tuesday release
Microsoft released fixes for **165 vulnerabilities** across Windows, Office, SharePoint, Defender, SQL Server, Azure, .NET, and other products in one of its largest Patch Tuesday updates on record. The most urgent issue was **CVE-2026-32201**, an **actively exploited** improper input validation flaw in **SharePoint Server** that enables unauthenticated network-based spoofing and was immediately added to **CISA's Known Exploited Vulnerabilities** catalog. Microsoft also patched **CVE-2026-33825**, a publicly known **Microsoft Defender** privilege-escalation bug with proof-of-concept code, and **CVE-2026-33824**, a critical **remote code execution** flaw in **Windows IKE Service Extensions** affecting IPsec/VPN infrastructure. Researchers flagged **CVE-2026-33827** in **Windows TCP/IP** as potentially **wormable** under certain IPv6 and IPSec configurations. Other high-impact fixes include **CVE-2026-33120**, a **SQL Server remote code execution** flaw that paired with a separate privilege escalation bug (**CVE-2026-32176**) could enable full server compromise, and **CVE-2026-32220**, a **UEFI Secure Boot bypass** that could allow untrusted code to load during the boot process. The release also addressed elevation of privilege flaws across Desktop Window Manager, WinSock, TDI Translation Driver, Windows Push Notifications, Function Discovery Service, WSUS, Remote Desktop Licensing, Azure Monitor Agent, and Windows kernel components; security feature bypasses in Windows Hello, PowerShell, BitLocker, and Windows Shell; information disclosure bugs in Windows GDI, Print Spooler, Web Account Manager, UPnP Device Host, and the Windows kernel; and denial-of-service issues in .NET/Visual Studio and Windows RDBSS. Cumulative updates for Windows Server 2022 and 23H2 bundled security hardening for Kerberos, RDP, Secure Boot, and WDS, with Microsoft warning that Secure Boot certificates begin expiring in June 2026.
Apr 15, 2026
Microsoft Patches 71 Flaws Including Exploited Windows CLFS Zero-Day
Microsoft released fixes for **71 CVEs** across 10 product families, including **17 Critical** and **54 Important** vulnerabilities, with the update heavily concentrated on Windows. The most severe issue was **`CVE-2024-49112`**, a **CVSS 9.8** remote code execution flaw in **LDAP** affecting supported Windows client and server versions back to **Windows Server 2008**, while multiple other patches addressed remote code execution risks in **Remote Desktop Services** and additional Windows components. Microsoft also fixed an **actively exploited zero-day**, **`CVE-2024-49138`**, in the **Windows Common Log File System Driver (CLFS)**, and identified six more vulnerabilities as more likely to be exploited within 30 days. Those higher-risk issues affected **SharePoint, MSMQ, ReFS, and several Windows drivers**, underscoring broad exposure across enterprise environments; Sophos said protections were available for five of the patched vulnerabilities, and noted Microsoft patched **1,015 CVEs** through Patch Tuesday during 2024, the company’s highest annual total since 2020.
Jan 1, 2026