April Patch Tuesday: 168 fixes

Microsoft’s April security update landed Tuesday with fixes for 168 vulnerabilities, led by an actively exploited SharePoint flaw already being used in attacks. (msrc.microsoft.com) (cyberpress.org) The zero-day, CVE-2026-32201, is a SharePoint spoofing bug. Microsoft said improper input validation lets an unauthorized attacker spoof content over a network and potentially view or change some information. (msrc.microsoft.com) (bleepingcomputer.com) CrowdStrike said the SharePoint bug has a Common Vulnerability Scoring System score of 6.5, requires no user interaction, and can be exploited remotely by an unauthenticated attacker. The company said availability is not affected, but confidentiality and integrity are. (crowdstrike.com) A software patch closes a hole after the vendor finds or confirms a weakness. A zero-day is a hole attackers use before defenders have a fix, and Microsoft said this one was already exploited in the wild before April 14. (bleepingcomputer.com) (crowdstrike.com) SharePoint is Microsoft’s document-sharing and intranet server, so a spoofing bug there can let attackers make malicious pages or prompts look like trusted internal content. Mike Walters of Action1 said attackers could use the flaw to deceive employees, partners, or customers inside a familiar SharePoint environment. (krebsonsecurity.com) (thehackernews.com) The April release also included a second zero-day, CVE-2026-33825, a publicly disclosed Microsoft Defender elevation-of-privilege flaw. Microsoft said the Defender fix is delivered in antimalware platform version 4.18.26050.3011, which should download automatically. (bleepingcomputer.com) (crowdstrike.com) By category, April’s biggest bucket was 93 elevation-of-privilege flaws. BleepingComputer counted 20 remote-code-execution bugs, 21 information-disclosure bugs, 10 denial-of-service bugs, 13 security-feature-bypass bugs, and 9 spoofing bugs in Microsoft’s Tuesday releases. (bleepingcomputer.com) Federal agencies got a deadline with the patch. The Cybersecurity and Infrastructure Security Agency added CVE-2026-32201 to its Known Exploited Vulnerabilities catalog on April 14 and ordered Federal Civilian Executive Branch agencies to remediate it by April 28, 2026. (cisa.gov) (thehackernews.com) Microsoft did not publicly say who is exploiting the SharePoint flaw or how the attacks work. For enterprise defenders, that leaves the usual order of operations: patch internet-facing SharePoint servers first, then move through the rest of April’s backlog. (bleepingcomputer.com) (crowdstrike.com)