Microsoft on Tuesday launched updates to deal with a document 169 security flaws throughout its product portfolio, together with one vulnerability that has been actively exploited within the wild.
Of those 169 vulnerabilities, 157 are rated Necessary, eight are rated Essential, three are rated Reasonable, and one is rated Low in severity. Ninety-three of the issues are labeled as privilege escalation, adopted by 21 data disclosure, 21 distant code execution, 14 security function bypass, 10 spoofing, and 9 denial-of-service vulnerabilities.
Additionally included among the many 169 flaws are 4 non-Microsoft issued CVEs impacting AMD (CVE-2023-20585), Node.js (CVE-2026-21637), Home windows Safe Boot (CVE-2026-25250), and Git for Home windows (CVE-2026-32631). The updates are as well as to 78 vulnerabilities that have been addressed in its Chromium-based Edge browser since the replace that was launched final month.
The discharge makes it the second greatest Patch Tuesday ever, a little beneath the document set in October 2025, when Microsoft addressed an enormous 183 security flaws. “At this tempo, 2026 is on monitor to affirm that 1,000+ Patch Tuesday CVEs yearly is the norm,” Satnam Narang, senior workers analysis engineer at Tenable, stated.
“Not solely that, however elevation of privilege bugs proceed to dominate the Patch Tuesday cycle over the past eight months, accounting for a document 57% of all CVEs patched in April, whereas distant code execution (RCE) vulnerabilities have dropped to only 12%, tied with data disclosure vulnerabilities this month.”
The vulnerability that has come beneath lively exploitation is CVE-2026-32201 (CVSS rating: 6.5), a spoofing vulnerability impacting Microsoft SharePoint Server.
“Improper enter validation in Microsoft Workplace SharePoint permits an unauthorized attacker to carry out spoofing over a community,” Microsoft stated in an advisory. “An attacker who efficiently exploited the vulnerability might view some delicate data (Confidentiality), make adjustments to disclosed data (Integrity), however can not restrict entry to the useful resource (Availability).”
Though the vulnerability was internally found, it is presently not identified the way it’sbeing exploited, and who could also be behind the exercise, and the size of such efforts.
“This zero-day vulnerability in Microsoft SharePoint Server is attributable to improper enter validation, permitting attackers to spoof trusted content material or interfaces over a community,” Mike Walters, president and co-founder of Action1, stated.
“By exploiting this flaw, an attacker can manipulate how data is offered to customers, probably tricking them into trusting malicious content material. Whereas the direct influence on knowledge is proscribed, the power to deceive customers makes this a strong instrument for broader assaults.”
The lively exploitation of CVE-2026-32201 has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add it to the Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) businesses to remediate the shortcoming by April 28, 2026.
One other vulnerability of notice is a privilege escalation flaw in Microsoft Defender (CVE-2026-33825, CVSS rating: 7.8), which has been flagged as publicly identified on the time of launch. Based on Redmond, the vulnerability might permit a licensed attacker to raise privileges regionally by taking benefit ofDefender’slack of sufficient granular entry controls.
Microsoft famous that no consumer motion is required to put in the replace for CVE-2026-33825, because the platform updates itself steadily by default. Techniques which have disabled Microsoft Defender will not be in an exploitable state.
Probably the most extreme vulnerabilities is a case of distant code execution impacting the Home windows Web Key Trade (IKE) Service Extensions.Tracked as CVE-2026-33824, the security defect has a CVSS rating of 9.8 out of 10.0.
“Exploitation requires an attacker to ship specifically crafted packets to a Home windows machine with IKE v2 enabled, which might allow distant code execution,” Adam Barnett, lead software program engineer at Rapid7, stated in a press release.
“Vulnerabilities resulting in unauthenticated RCE towards fashionable Home windows property are comparatively uncommon, or we’d see extra wormable vulnerabilities self-propagating throughout the web. Nevertheless, since IKE offers safe tunnel negotiation providers, as an illustration, for VPNs, it’s essentially uncovered to untrusted networks and reachable in a pre-authorization context.”
Walters famous that the security flaw poses a critical risk to enterprise environments, notably these counting on VPN or IPsec for safe communications. Profitable exploitation of the vulnerability might end in full system compromise, permitting unhealthy actors to steal delicate knowledge, disrupt operations, or transfer laterally throughout the community.
“The dearth of required consumer interplay makes this particularly harmful for internet-facing techniques. Its low assault complexity and full system influence make it a major candidate for speedy weaponization,” Walters added. “Web-facing techniques working IKEv2 providers are notably in danger, and delaying patch deployment will increase publicity to potential widespread assaults.”
