15.04.2026
4 min
211
Microsoft released a massive security update as part of Patch Tuesday, closing more than 160 vulnerabilities, including a zero-day in SharePoint that was already being actively exploited in attacks. The main issue allowed attackers to spoof trusted content and manipulate user data.
Microsoft has just issued one of the biggest security patches in a long while. Microsoft patched a whopping 169 vulnerabilities simultaneously. One of those will be used for sure. Eighty-seven percent (157) of those patches are considered High Risk. Critical were 8; Moderate were 3; Low was 1. Bugs were mostly Elevation of Privilege — we’re talking 93 here. Next in line were Information Disclosure and Remote Code Execution (21 each). Additionally, there were 14 Bypass Issues, 10 Spoofing Vulnerabilities and 9 Denial of Service Scenarios.
We should note third party components separately. Also included in this patch are four non-Microsoft vulnerabilities that effect their ecosystem. Those include an AMD issue, a Node.js issue, a problem with Windows Secure Boot and a Git for Windows issue. In addition, Microsoft patched 78 of the over 100 previously unpatched Chromium based Edge browser CVE’s.
That’s the second largest ever patch on Patch Tuesday. The first being in October 2025 where Microsoft patched a record 183 CVE’s. If the rate keeps up, we’ll see more than a thousand CVE’s/yr. become the new normal.
Also noteworthy is the trend. For the eighth straight month, the greatest percentage of vulnerabilities patched were Elevation of Privileges. Back in April, EOP accounted for nearly 58%. On the flip side, RCE accounts for less than 13%, down significantly from last month.
CVE-2026-32201, a bug in Microsoft SharePoint Server, is getting the most press in this round of patches. And rightly so. A bug like this has already been exploited to steal user credentials and other sensitive info via manipulation of data that the app uses to generate pages. That bug allows attackers to manipulate what is displayed to the user and force the user to display whatever “information” the attacker wants. While the attacker does not get complete control over the system, that he can substitute displays creates enough of a threat to allow him to use the exploit to create additional exploits against the victim.
“SharePoint includes a network-based forgery vulnerability as far as trusted information, enabling attackers to deceive victims and utilize malicious interfaces,” said Mike Walters, co-founder of Action1.
Walters stated that even though there may be very little or no actual damage to an organization’s data resulting from the usage of the vulnerability, the ability to affect how a user views their data can often provide the building blocks to a larger and much more complex type of attack.
Because of the wide-spread exploitation of the vulnerability, the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) listed the vulnerability in the list of known exploited vulnerabilities. CISA issued a mandatory update deadline for all federal agency networks and systems. All federal agencies had until April 28th 2026 to apply the recommended patches.
An equally pressing concern exists for Microsoft Defender. The vulnerability identified as CVE-2026-33825 enables a local user to obtain elevated privileges using weak access controls. However, Microsoft states that because Defender will automatically be patched, in many cases no further actions need to occur.
Additionally, the same issue existed with respect to the BlueHammer exploit; previously developed by Chaotic Eclipse (a security researcher). The BlueHammer exploit utilized the Volume Shadow Copy process to enable unauthorized access to the system files and elevate privileges to the SYSTEM level.
The concept behind the attack involves creating a temporary copy of the system (snapshot), while updating the Defender software. Using the BlueHammer exploit, at the precise time that the snapshot is created, and before it is deleted by the system, provides an attacker with unauthorized access to critical areas of the system; specifically the SAM database containing hashed passwords. With such access to hashed passwords, an attacker would have full administrative privileges to take complete control of the compromised system.
Researchers indicate that since the patch was made available, the BlueHammer exploit is ineffective; however, portions of the exploit continue to pose questions.
In addition to these critical issues, another serious vulnerability lies within the Windows IKE Service. This vulnerability is extremely serious in nature, allowing an attacker to execute arbitrary remote code on vulnerable servers without any form of authentication. Additionally, the CVSS score assigned to this vulnerability is 9.8. An attacker simply needs to send a specially crafted packet to a server that has IKEv2 enabled in order to successfully exploit this vulnerability.
This vulnerability poses extreme danger in corporate environments utilizing VPN or IPsec solutions. A successful exploitation of this vulnerability would likely result in total system compromise. This could include unauthorized data removal and/or unauthorized movement through the network.
As Walters noted, “the fact that no user intervention is needed makes this vulnerability especially hazardous for systems connected directly to the internet.”
All-in-all, this release demonstrates once again just how rapidly the number of new vulnerabilities are being discovered and highlights why rapid deployment of patches/updates is now a critical requirement for organizations to survive in today’s highly volatile cyber environment.
