Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities

Summary

Microsoft released patches for 169 security flaws across its product portfolio on April 15, 2026, marking the second-largest Patch Tuesday on record. The update includes one zero-day vulnerability in SharePoint Server (CVE-2026-32201) that is already being exploited in the wild, along with a critical remote code execution flaw in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) affecting VPN and IPsec systems. The vulnerabilities span multiple severity levels, with privilege escalation flaws dominating the release at 57% of all patched CVEs.

Full text

Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Ravie LakshmananApr 15, 2026Vulnerability / Patch Tuesday Microsoft on Tuesday released updates to address a record 169 security flaws across its product portfolio, including one vulnerability that has been actively exploited in the wild. Of these 169 vulnerabilities, 157 are rated Important, eight are rated Critical, three are rated Moderate, and one is rated Low in severity. Ninety-three of the flaws are classified as privilege escalation, followed by 21 information disclosure, 21 remote code execution, 14 security feature bypass, 10 spoofing, and nine denial-of-service vulnerabilities. Also included among the 169 flaws are four non-Microsoft issued CVEs impacting AMD (CVE-2023-20585), Node.js (CVE-2026-21637), Windows Secure Boot (CVE-2026-25250), and Git for Windows (CVE-2026-32631). The updates are in addition to 78 vulnerabilities that have been addressed in its Chromium-based Edge browser since the update that was released last month. The release makes it the second biggest Patch Tuesday ever, a little below the record set in October 2025, when Microsoft addressed a massive 183 security flaws. "At this pace, 2026 is on track to affirm that 1,000+ Patch Tuesday CVEs annually is the norm," Satnam Narang, senior staff research engineer at Tenable, said. "Not only that, but elevation of privilege bugs continue to dominate the Patch Tuesday cycle over the last eight months, accounting for a record 57% of all CVEs patched in April, while remote code execution (RCE) vulnerabilities have dropped to just 12%, tied with information disclosure vulnerabilities this month." The vulnerability that has come under active exploitation is CVE-2026-32201 (CVSS score: 6.5), a spoofing vulnerability impacting Microsoft SharePoint Server. "Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network," Microsoft said in an advisory. "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." Although the vulnerability was internally discovered, it's currently not known how it'sbeing exploited, and who may be behind the activity, and the scale of such efforts. "This zero-day vulnerability in Microsoft SharePoint Server is caused by improper input validation, allowing attackers to spoof trusted content or interfaces over a network," Mike Walters, president and co-founder of Action1, said. "By exploiting this flaw, an attacker can manipulate how information is presented to users, potentially tricking them into trusting malicious content. While the direct impact on data is limited, the ability to deceive users makes this a powerful tool for broader attacks." The active exploitation of CVE-2026-32201 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the shortcoming by April 28, 2026. Another vulnerability of note is a privilege escalation flaw in Microsoft Defender (CVE-2026-33825, CVSS score: 7.8), which has been flagged as publicly known at the time of release. According to Redmond, the vulnerability could allow an authorized attacker to elevate privileges locally by taking advantage ofDefender'slack of adequate granular access controls. Microsoft noted that no user action is required to install the update for CVE-2026-33825, as the platform updates itself frequently by default. Systems that have disabled Microsoft Defender are not in an exploitable state. One of the most severe vulnerabilities is a case of remote code execution impacting the Windows Internet Key Exchange (IKE) Service Extensions.Tracked as CVE-2026-33824, the security defect has a CVSS score of 9.8 out of 10.0. "Exploitation requires an attacker to send specially crafted packets to a Windows machine with IKE v2 enabled, which could enable remote code execution," Adam Barnett, lead software engineer at Rapid7, said in a statement. "Vulnerabilities leading to unauthenticated RCE against modern Windows assets are relatively rare, or we’d see more wormable vulnerabilities self-propagating across the internet. However, since IKE provides secure tunnel negotiation services, for instance, for VPNs, it is necessarily exposed to untrusted networks and reachable in a pre-authorization context." Walters noted that the security flaw poses a serious threat to enterprise environments, particularly those relying on VPN or IPsec for secure communications. Successful exploitation of the vulnerability could result in complete system compromise, allowing bad actors to steal sensitive data, disrupt operations, or move laterally across the network. "The lack of required user interaction makes this especially dangerous for internet-facing systems. Its low attack complexity and full system impact make it a prime candidate for rapid weaponization," Walters added. "Internet-facing systems running IKEv2 services are particularly at risk, and delaying patch deployment increases exposure to potential widespread attacks." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CISA, cybersecurity, Microsoft, patch Tuesday, privilege escalation, remote code execution, SharePoint, Vulnerability, Windows, zero-day Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• cve — CVE-2026-32201
• cve — CVE-2026-33824
• cve — CVE-2026-33825
• cve — CVE-2023-20585
• cve — CVE-2026-21637
• cve — CVE-2026-25250
• cve — CVE-2026-32631

Entities