April Patch Tuesday: 167 fixes

Microsoft pushed April’s security updates on April 14, fixing 167 vulnerabilities across Windows, Office, SharePoint, Hyper-V and other products. (bleepingcomputer.com) Two of the bugs stood out because attackers already knew about them before patch day: one was exploited in the wild and one had been publicly disclosed, according to Microsoft’s April release and Rapid7’s review. (bleepingcomputer.com) (rapid7.com) Cisco Talos said Microsoft’s April release covered 165 Microsoft vulnerabilities and highlighted eight rated “critical,” while also publishing Snort intrusion-detection rules for some of the flaws. BleepingComputer’s higher total includes non-Microsoft issues Microsoft tracks in its monthly roundup. (blog.talosintelligence.com) (bleepingcomputer.com) Patch Tuesday is Microsoft’s regular monthly security drop, and it matters because organizations often batch testing and deployment around that schedule. Talos said its April rule set is meant to spot exploit attempts while defenders work through patching. (msrc.microsoft.com) (blog.talosintelligence.com) For agencies that run both information technology and operational technology, the timing is practical as much as technical. Windows systems often sit behind fare payment, dispatch consoles, building access controls and video systems, so a desktop or server patch can ripple into physical operations. (blog.talosintelligence.com) (msrc.microsoft.com) Talos singled out several bugs that defenders are likely to prioritize, including CVE-2026-33824 in the Windows Internet Key Exchange extension, which could let an unauthenticated attacker send crafted packets to a machine with Internet Key Exchange version 2 enabled and potentially run code. It also flagged CVE-2026-33826 in Windows Active Directory and CVE-2026-33114 and CVE-2026-33115 in Microsoft Office Word. (blog.talosintelligence.com) BleepingComputer reported that the two zero-days were CVE-2026-26110, a Microsoft SharePoint elevation-of-privilege flaw exploited in the wild, and CVE-2026-33825, a Microsoft Defender elevation-of-privilege flaw that was publicly disclosed before fixes shipped. Rapid7’s April review matched that split: one exploited, one disclosed. (bleepingcomputer.com) (rapid7.com) Microsoft also shipped Windows update packages tied to the April fixes, including the Windows 10 Extended Security Update package KB5082200 for systems still enrolled in paid support. That matters for organizations that have not fully moved off older fleets but still need current security fixes. (bleepingcomputer.com) The immediate job now is familiar: identify exposed systems, test the updates, and watch detection tools for exploit traffic during the patch window. April’s release was large enough that defenders are likely to spend the rest of the month sorting which fixes can wait and which ones cannot. (blog.talosintelligence.com) (rapid7.com)