Microsoft released its April 2026 Patch Tuesday security update today, addressing 167 vulnerabilities across its product portfolio — making it the second-largest monthly patch batch in the company’s history. The update includes fixes for two zero-day vulnerabilities (one actively exploited in the wild), eight critical-severity flaws, and a particularly dangerous unauthenticated remote code execution bug in the Windows IKE service.
If you run Windows infrastructure, SharePoint, or VPN gateways using IKEv2, stop reading and start patching.
The Zero-Days
CVE-2026-32201 — SharePoint Server Spoofing (Actively Exploited)
CVSS: 6.5 | Status: Exploited in the wild
This is a cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server caused by improper input validation. An unauthenticated attacker can exploit the flaw over the network to view sensitive information and modify disclosed data. While the CVSS score looks moderate, the fact that it’s being actively exploited makes it a priority.
Affected versions include SharePoint Server 2016, 2019, and SharePoint Server Subscription Edition. Microsoft has released patches for all three.
CVE-2026-33825 — Microsoft Defender Elevation of Privilege (Publicly Disclosed)
CVSS: 7.8 | Status: Publicly disclosed, no known exploitation yet
An elevation of privilege flaw in Microsoft Defender has been publicly disclosed but is not yet confirmed to be exploited in the wild. With a CVSS of 7.8 and public disclosure, the window for exploitation is narrow — expect threat actors to weaponize this quickly.
The Critical Flaws
Of the eight critical-severity vulnerabilities patched this month, seven are remote code execution flaws. The standout:
CVE-2026-33824 — Windows IKE Service Extensions RCE
CVSS: 9.8 | Vector: Network/Low Complexity/No Auth/No Interaction
This is the one that should keep you up tonight. A double-free vulnerability in Windows Internet Key Exchange (IKE) Service Extensions allows an unauthenticated attacker to achieve remote code execution by sending crafted packets to any target with IKEv2 enabled.
The attack requires no authentication, no user interaction, and has low complexity. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) is about as bad as it gets. Microsoft rates exploitation as “less likely” for now, but that assessment can change fast — especially for a network-facing, pre-auth RCE.
Any Windows server or workstation running IKEv2 for VPN or IPsec is a potential target. If you’re running Always On VPN, DirectAccess, or site-to-site IPsec tunnels, prioritize this patch immediately.
By the Numbers
The 167 vulnerabilities break down roughly as follows:
- Remote Code Execution: ~60% of critical flaws
- Elevation of Privilege: Significant portion of the total count
- Denial of Service: One critical DoS among the eight critical-rated bugs
- Spoofing/XSS: Including the actively exploited SharePoint zero-day
This is Microsoft’s second-largest Patch Tuesday on record, trailing only the massive batch from earlier this year.
What You Should Do Right Now
Immediate (within 24-48 hours):
- Patch SharePoint Server instances — CVE-2026-32201 is actively exploited
- Update Microsoft Defender definitions and engine — CVE-2026-33825 is publicly disclosed
- Audit IKEv2 exposure — identify all systems with IKE enabled and prioritize CVE-2026-33824
This week:
- Deploy the full April cumulative update across Windows endpoints and servers
- Review firewall rules for IKE traffic (UDP ports 500 and 4500) — restrict to known peers only
- If you can’t patch IKEv2 immediately, consider temporarily disabling the service on non-essential systems
- Check SharePoint Server access logs for signs of XSS exploitation
Ongoing:
- Monitor Microsoft’s exploitability assessments — the Defender and IKE bugs could shift to “exploitation detected” at any time
- Test patches in staging before wide deployment, but don’t let testing delay critical patches for the exploited zero-day