Microsoft Releases SharePoint Zero-Day Patches and 168 Other New Defects
Microsoft on Tuesday released updates to fix 169 security flaws across its product portfolio, including vulnerabilities that have been widely exploited in the wild.
Of these 169 risks, 157 were rated as important, eight were rated as important, three were rated as moderate, and one was rated as low in severity. Ninety-three errors were classified as privilege escalation, followed by 21 information disclosure, 21 remote code execution, 14 security feature bypass, 10 spoofing, and nine denial-of-service vulnerabilities.
Also included among the 169 flaws are four non-Microsoft CVEs affecting AMD (CVE-2023-20585), Node.js (CVE-2026-21637), Windows Secure Boot (CVE-2026-25250), and Git for Windows (CVE-2026-32631). The updates add to the 78 vulnerabilities that have been addressed in its Chromium-based Edge browser since the update was released last month.
The release makes it the second largest Patch Tuesday, slightly below the record set in October 2025, when Microsoft reported 183 major security flaws. “At this rate, 2026 is on track to ensure that 1,000+ Patch Tuesday CVEs every year are the norm,” said Satnam Narang, senior staff research engineer at Tenable.
“Not only that, but the rise of bugs continues to dominate the Patch Tuesday cycle for the past eight months, including a record 57% of all CVEs patched in April, while remote code execution (RCE) risks dropped to only 12%, matching the risk of information disclosure this month.”
The vulnerability that came under active exploitation is CVE-2026-32201 (CVSS score: 6.5), a critical vulnerability affecting Microsoft SharePoint Server.
“Incorrect installation authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform network spoofing,” Microsoft said in an advisory. “An attacker who successfully exploited the vulnerability may view some sensitive information (Privacy), make changes to the exposed information (Integrity), but cannot restrict access to the device (Availability).”
Although the vulnerability has been discovered internally, it is currently unknown how it is exploited, who may be behind the work, and the scale of such efforts.
“This zero-day vulnerability in the Microsoft SharePoint server is caused by improper installation authentication, which allows attackers to attack trusted content or network connections,” said Mike Walters, president and founder of Action1.
“By exploiting this flaw, an attacker can manipulate the way information is presented to users, potentially tricking them into trusting malicious content. Although the direct impact on data is limited, the ability to manipulate users makes this a powerful tool for a broader attack.”
The active exploit of CVE-2026-32201 prompted the Cybersecurity and Infrastructure Security Agency (CISA) of the US to add it to the catalog of Known Exploited Vulnerabilities (KEV), requiring Federal Civilian Executive Branch (FCEB) agencies to fix the bug by April 26, 2020.
Another vulnerability of note is an elevation of privilege flaw in Microsoft Defender (CVE-2026-33825, CVSS score: 7.8), which was marked as publicly known at the time of release. According to Redmond, the vulnerability could allow an authorized attacker to escalate privileges to an environment by taking advantage of the Defender’s failure to control sufficient granular access.
Microsoft noted that no user action is required to apply the update for CVE-2026-33825, as the platform updates itself automatically. Systems with Microsoft Defender disabled are not in a usable state.
Although Microsoft’s advisory does not say anything about the code for public exploitation, this patch is said to solve the zero-day known as BlueHammer that was shared on GitHub on April 3, 2026, by a disgruntled security researcher using the name “Chaotic Eclipse” after a breakdown in communication with the tech giant over its handling of the disclosure process. As of writing, access to the public repository requires the user to be logged in to GitHub.
With Cyderes, the vulnerability exploits the Microsoft Defender update process by using a Volume Shadow Copy exploit to elevate a non-privileged user to NT AUTHORITYSYSTEM by bundling together legitimate Windows features.
“At some point in Defender’s update and maintenance workflow, Defender creates a temporary snapshot of Volume Shadow Copy,” security researchers Rahul Ramesh and Reegun Jayapaul explained earlier this month. “BlueHammer uses Cloud Files callbacks and oplocks to stop Defender at the right time, leaving the snapshot installed and accessible to the SAM, SYSTEM, and SECURITY registry hives – files that are often locked at runtime.”
“A successful exploit allows an attacker to read the SAM database, decrypt NTLM passwords, take over the local administrator account, and create a SYSTEM-level shell, all while returning the original password to avoid detection.”
Security researcher Will Dormann, in a Mastodon post, confirmed that the BlueHammer exploit is no longer active and “appears to be fixed as CVE-2026-33825,” although “some of the suspicious parts of the exploit are still active.”
One of the most serious vulnerabilities is a remote code execution scenario that affects Windows Internet Key Exchange (IKE) Service Extensions. Tracked as CVE-2026-33824, the security feature has a CVSS score of 9.8 out of 10.0.
“The exploit requires an attacker to send specially crafted packets to an IKE v2-enabled Windows machine, which would allow remote code execution,” said Adam Barnett, lead software engineer at Rapid7, in a statement.
“Vulnerabilities that lead to unauthenticated RCE against modern Windows equipment are rare, or we will see uncontrolled vulnerabilities spread across the Internet. However, since IKE provides secure tunnel negotiation services, for example, in VPNs, it is really exposed to untrusted networks and accessible in the context of pre-authorization.”
Walters noted that the security flaw poses a significant risk to business environments, especially those that rely on VPN or IPsec for secure communications. Successful exploitation of the vulnerability could result in complete system degradation, allowing malicious actors to steal sensitive data, disrupt operations, or remotely transmit data across the network.
“The lack of user interaction required makes this especially dangerous for cyber-facing applications. Its low attack complexity and overall system impact make it a prime candidate for immediate weaponization,” added Walters. “Internet-facing systems that use IKEv2 services are particularly vulnerable, and the delay in sending patches increases exposure to potentially widespread attacks.”
