Patch Tuesday April 2026 - Critical Microsoft Security Patches

CVE-2026-32201 - 6.5 - Microsoft SharePoint Server Spoofing Vulnerability

Kev Breen, Senior Director Threat Research, Immersive

At the top of the list of things to patch this cycle is CVE-2026-32201, a vulnerability affecting the Sharepoint Server. Despite its relatively low CVSS score of 6.5, this warrants immediate patching as Microsoft have listed this as “Exploitation Detected”, meaning it’s actively being used by threat actors in the wild. 

Microsoft is providing very little information except to say that it is a Spoofing Vulnerability and affects "Confidentiality and Integrity” where an attacker can view or change “Sensitive information”. 

SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made. 

A secondary concern is that threat actors with access to SharePoint services could deploy weaponised documents or replace legitimate documents with infected versions that would allow them to spread to other hosts or victims moving laterally across the organization. 

CVE-2026-33825 - Microsoft Defender Elevation of Privilege Vulnerability

Kev Breen, Senior Director Threat Research, Immersive

Another CVE that’s high on the list to patch is CVE-2026-33825, a Microsoft Defender Elevation of Privilege Vulnerability. This is listed by Microsoft as Publicly Disclosed with a Proof Of Concept. 

As an Elevation of Privilege Vulnerability, this type of exploit is commonly seen after an attacker has already gained initial access to a host machine, for example, via social engineering attacks like ClickFix, which remain popular or through another remote code execution vulnerability. 

Priv Esc vulnerabilities allow the attacker to gain SYSTEM level permissions which is enough to disable security tools and logging before deploying additional malware and moving laterally. 

Microsoft does not link this vulnerability to the recently publicly disclosed unpatched zeroday BlueHammer exploit that also impacts Microsoft Defender. Either way, ensuring that Defender is properly configured to receive timely updates is important and should be a priority check this cycle given the existence of at least one and possibly two public POCs.

CVE-2026-26151 - Remote Desktop Spoofing Vulnerability

Kev Breen, Senior Director Threat Research, Immersive

The next notable CVE is CVE-2026-26151, a vulnerability impacting the Windows Remote Desktop Application. While it’s not listed as being actively exploited, it is flagged as Exploitation More Likely, and was reported by the The UK's National Cyber Security Centre (NCSC), including a separate advisory. (https://learn.microsoft.com/en-gb/windows-server/remote/remote-desktop-services/remotepc/understanding-security-warnings)

Based on the detail provided in the CVE and in the advisory, this exploit appears to center around .rdp files, which are frequently used as shortcuts to connect to remote servers and contain the connection details and credentials required to connect. Opening one of these files will launch the remote desktop client and connect the user to the remote host. 

The advisory introduces a new set of warning dialogues and banners that warn users about the dangers of connecting to remote systems. 

The real danger of opening RDP files is in what Microsoft refers to as “redirections”. This is a way of connecting local resources to the remote server and can include the C Drive, USB Drives, network Drives.

In this attack scenario, the attacker-controlled machine could be set up to steal files or even write files to the drive automatically upon connection. Drives are not the only risk to Clipboard data. Cameras, and in some cases Windows Hello and Passkeys could also be compromised. These RDP files are typically sent in emails as attachments or links to download the files. Security teams should deploy threat hunt rules looking for unusual RDP files or remote connections. 

CVE-2026-33824 - Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Kev Breen, Senior Director Threat Research, Immersive

CVE-2026-33824 is a recently patched vulnerability for Windows affecting servers and desktop hosts. It comes in with a high CVSS Score of 9.8, although Microsoft have identied this one as "Exploitation Less Likely."

While Microsoft has marked this one as “exploitation less likely,” that doesn't mean that it may not be exploitable. There have been historic exploits and POCs that have impacted IKE, meaning motivated threat actors may be able to weaponize this one as well. 

If an attacker is able to weaponize this vulnerability, it would result in the attacker being able to run code on the target victim's host. With this initial access, they would be able to steal data, deploy additional exploits or privilege escalation attacks. For orgs are not able to patch, mitigations include blocking inbound traffic on ports used by IKE.