Microsoft Patch Tuesday April 2026: 165 CVEs, One Actively Exploited SharePoint Zero-Day

Microsoft's April 2026 Patch Tuesday is the largest release of the year so far. One hundred and sixty-five CVEs addressed in a single update cycle represents a volume that no IT team can absorb uniformly. Eight of those vulnerabilities are rated Critical. One — a SharePoint spoofing vulnerability — was already being actively exploited in the wild when the patch landed. This article provides the technical detail on the three vulnerabilities that require immediate attention and a prioritisation framework for the rest.

CVE-2026-32201: SharePoint Spoofing — The One That Was Already Exploited

CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server rated CVSS 6.5. The score is moderate by standard reckoning, which makes the exploitation status all the more significant: a 6.5 CVSS vulnerability being actively exploited in the wild before the patch is available is a clear indicator that the real-world impact does not track neatly to the theoretical score.

The vulnerability allows an authenticated attacker to forge server-side requests in a way that can be used to access resources or content on behalf of another user, bypass certain access controls, or extract information that should be scoped to a different user or site collection. Exploitation requires an authenticated session, which limits the attack surface compared to unauthenticated vulnerabilities — but in SharePoint environments, that bar is routinely cleared: any domain user with a valid credential is authenticated. In Swiss financial services and enterprise environments where SharePoint is used for document collaboration, this is a meaningful risk.

Microsoft has confirmed exploitation in the wild and recommends immediate patching. There is no documented workaround that adequately mitigates the risk without applying the update. Organisations that cannot patch immediately should review SharePoint access logs for anomalous cross-site or cross-user resource access patterns and consider temporarily restricting external access to SharePoint instances.

CVE-2026-33827: Windows TCP/IP Remote Code Execution — Wormable Potential

CVE-2026-33827 is a remote code execution vulnerability in the Windows TCP/IP stack rated Critical. It affects the handling of specific network packet sequences and can be triggered without authentication by a remote attacker who can reach the target over the network. Microsoft has assessed the exploitability as "Exploitation More Likely" and has flagged the vulnerability as potentially wormable — meaning that a reliable exploit could in principle propagate automatically across network-connected systems without requiring user interaction.

The wormable classification is not a statement that active exploitation with worm characteristics is occurring. It is a forward-looking risk assessment. The practical consequence for Swiss IT teams is that any Windows system reachable over a network segment — including internal segments — is potentially in scope. Perimeter firewall rules provide partial mitigation for externally exposed systems, but lateral movement scenarios within already-compromised networks are not addressed by perimeter controls alone. Internal network segmentation, where it exists, limits the blast radius.

This vulnerability should be treated as first-priority patching alongside CVE-2026-32201. If emergency patching is not immediately feasible, host-based firewall rules restricting inbound network traffic to required ports and source addresses should be applied as an interim measure.

CVE-2026-33825: Microsoft Defender Elevation of Privilege

CVE-2026-33827 is accompanied in priority by CVE-2026-33825, an elevation of privilege vulnerability in Microsoft Defender for Endpoint rated Important. EoP vulnerabilities in security tooling follow a well-documented adversarial pattern: an attacker who has achieved initial access at a standard user privilege level exploits the security product itself to reach SYSTEM-level privileges, bypassing the very controls designed to detect and limit lateral movement. Microsoft Defender is deployed at scale across Swiss enterprise and public sector environments, making this vulnerability particularly relevant to the local threat landscape.

Exploitation requires local access — an attacker must already be on the system. This places it in the second tier of immediate priority compared to the two remote code execution or network-reachable vulnerabilities above, but it should be addressed within the same patching cycle rather than deferred.

Scale: 165 CVEs, 8 Critical — Understanding the Full Release

Beyond the three vulnerabilities above, the April 2026 release includes eight Critical-rated CVEs in total, spanning Windows kernel components, Azure-related services, Remote Desktop Protocol, and the .NET runtime. The remaining 157 vulnerabilities span Important and Moderate ratings across the full Microsoft product surface.

The scale of 165 CVEs in a single cycle is not unprecedented — Microsoft crossed the 150-CVE threshold in three separate months in 2025 — but it reflects a structural reality that patch management programmes must be designed around: the volume of vulnerabilities being disclosed is consistently outpacing the capacity of most IT teams to process and apply updates at the same rate. This is an argument for risk-based triage, not for managing every CVE identically.

A Triage Framework for Swiss IT Teams

The following prioritisation sequence is designed for organisations that cannot apply all 165 patches simultaneously and need a principled approach to sequencing work.

Tier 1 — Apply within 24–48 hours: CVE-2026-32201 (SharePoint, actively exploited) and CVE-2026-33827 (TCP/IP RCE, wormable potential). These represent current or near-term exploitation risk. If your environment includes internet-facing SharePoint and any Windows systems reachable over internal networks, these patches are not optional.

Tier 2 — Apply within one week: CVE-2026-33825 (Defender EoP) and the remaining six Critical-rated CVEs. Review the Microsoft Security Update Guide for the specific products affected and prioritise based on which are deployed in your environment. Remote Desktop Protocol vulnerabilities should be elevated within this tier if your organisation exposes RDP externally.

Tier 3 — Apply within the standard patching cycle (two to four weeks): The remaining Important and Moderate-rated vulnerabilities. Apply in order of exposure: internet-facing systems before internal systems, servers before workstations, shared infrastructure before individual endpoints.

One additional recommendation specific to Swiss organisations: if you operate under FINMA supervision, the ISA circular's requirements for vulnerability management include documentation of prioritisation decisions. Applying a documented triage framework and recording the rationale for sequencing decisions satisfies that requirement and provides an audit trail in the event of a post-incident review.