Microsoft April 2026 Patch Tuesday: 167 fixes, two zero-days, and a SharePoint bug already in CISA's KEV

Microsoft’s April Patch Tuesday landed on April 8 with 167 CVEs, including two zero-days. One of them, a SharePoint Server spoofing bug, was already being exploited and CISA added it to the Known Exploited Vulnerabilities catalog the same day. If you run on-prem SharePoint, this is the patch you do tonight.

What we know

• Total CVEs: 167. Per BleepingComputer’s breakdown: 93 elevation of privilege, 20 remote code execution, 21 information disclosure, 13 security feature bypasses, 10 denial of service, 9 spoofing, 1 tampering. Eight rated Critical.
• Actively exploited: CVE-2026-32201, a Microsoft SharePoint Server Spoofing Vulnerability. Improper input validation lets an unauthenticated network attacker spoof trusted UI in SharePoint. CISA added it to the KEV catalog on April 14, with a federal-agency remediation deadline that follows.
• Publicly disclosed: CVE-2026-33825, a Windows Defender elevation-of-privilege bug nicknamed “BlueHammer.” Per Krebs on Security, the researcher posted a working proof-of-concept on GitHub on April 3, five days before Microsoft’s fix. Defender Antimalware Platform 4.18.26030.3011 patches it.
• Other criticals worth flagging: Office (Word, Excel, PowerPoint, SharePoint) RCEs that fire from the Outlook preview pane. CVE-2026-33824 in Windows IKE Extension. CVE-2026-33827 in Windows TCP/IP. CVE-2026-33826 in Active Directory. CVE-2026-32157 in Remote Desktop Client.
• Out-of-band note: Microsoft also pushed an emergency Adobe Reader fix earlier in the month, CVE-2026-34621, with exploitation traced to November 2025.

What we don’t know

• Who’s exploiting CVE-2026-32201. Microsoft’s advisory confirms in-the-wild activity but doesn’t attribute. No vendor has published IOCs, and no public incident report has linked the bug to a named actor.
• The full scope of BlueHammer’s use. A public PoC means script-kiddie windows are open. Whether any APT actor was running it pre-disclosure is unclear; Krebs notes the research write-up matches the Microsoft advisory but doesn’t confirm prior abuse.
• Whether on-prem SharePoint will get a follow-up patch. Microsoft’s earlier ASP.NET emergency fix shipped out of band a week after the April .NET update introduced the regression. Patch Tuesday days that include exploited zero-days have historically attracted second-tier surprises within two weeks.
• Coverage on Server Core editions. Tenable counts 163 CVEs to Microsoft’s 167. The four-CVE delta is typically Edge / Chromium-derived issues that ship on a different cadence; assume your SCCM rollups capture them.

Source attribution

The headline numbers and zero-day breakdown are from BleepingComputer, Tenable, Security Affairs, and Brian Krebs’s April 2026 Edition writeup. CISA’s KEV update is the authoritative confirmation that CVE-2026-32201 is being exploited.

What this means for you

If you maintain on-prem SharePoint, prioritize CVE-2026-32201 above everything else. The CISA KEV listing means a federal-agency clock is running and exploit kits are being assembled in public. Anyone exposing SharePoint to the internet without this patch is on borrowed time.

For everyone else, the order of operations is: SharePoint, Defender (BlueHammer is a privesc, so it pairs with any phishing payload that lands in Word), Office (preview-pane RCE is the kind of bug that lights up an environment in 24 hours after public PoC), then the network-stack bugs in TCP/IP and IKE.

Two structural reads. First, the volume. Microsoft is clearing 160-plus CVEs every month now, and Brian Krebs flags that the surge correlates with AI-assisted vulnerability discovery getting cheap. We’ve seen this thesis play out elsewhere with Mozilla’s Firefox bug haul from Project Glasswing, where Anthropic’s Mythos found 271 issues in a single audit. Whatever you think of LLMs writing code, they’re clearly very good at finding bugs, and that means more patch volume forever.

Second, public PoCs before patches are a pattern now. BlueHammer is the second time in three months a researcher dropped working code on GitHub before Microsoft’s fix shipped. If your patch SLA still assumes a quiet two-week window between disclosure and exploitation, rewrite it. Treat any Patch Tuesday CVE marked “publicly disclosed” as already weaponized.