Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Microsoft’s April 2026 Patch Tuesday addresses 165 critical security vulnerabilities across Microsoft’s product ecosystem, marking one of the most extensive security update releases in the company’s history. This Patch Tuesday vulnerability release includes 8 Critical, 153 Important, 1 Low, and 3 Moderate severity vulnerabilities spanning multiple Microsoft products including Microsoft SQL Server, Windows Kernel, Windows Server Update Service, Microsoft Office, Microsoft SharePoint, and Google Chromium-based Microsoft Edge.
Microsoft Patch Tuesday vulnerabilities impact multiple categories including 93 Elevation of Privilege (EoP) vulnerabilities, 20 Remote Code Execution (RCE) vulnerabilities, 20 Information Disclosure vulnerabilities, 12 Security Feature Bypass vulnerabilities, 9 Denial of Service (DoS) vulnerabilities, 10 Spoofing vulnerabilities, and 1 Tampering vulnerability. Elevation of Privilege vulnerabilities account for over 56% of this month’s patches, reflecting continued attacker focus on post-compromise privilege escalation vulnerabilities.
The total number of CVEs addressed reaches 247 when including 82 non-Microsoft vulnerabilities. Of critical concern are 21 CVEs assessed as either actively exploited or at increased risk of exploitation, including 1 actively exploited zero-day vulnerability and 1 publicly disclosed vulnerability prior to patching.
CVE-2026-32201 is a critical Microsoft SharePoint Server Spoofing Vulnerability (CVSS 6.5) actively exploited in the wild. This SharePoint vulnerability stems from improper input validation and manifests as cross-site scripting (XSS), allowing attackers to view and modify sensitive organizational data. Despite its moderate CVSS score, confirmed wild exploitation and SharePoint’s role as a central collaboration platform make this SharePoint vulnerability the top remediation priority. This SharePoint zero-day follows a pattern of SharePoint vulnerabilities being leveraged in ransomware and cyberespionage campaigns.
CVE-2026-5281, a Chromium Use After Free in Dawn vulnerability affecting Microsoft Edge (Chromium-based), is confirmed exploited in the wild. This zero-day vulnerability targeting the Dawn graphics component poses significant remote code execution risks.
CVE-2026-33825 is a publicly disclosed Microsoft Defender Elevation of Privilege vulnerability (CVSS 7.8). While no active exploitation has been confirmed, the vulnerability description closely matches “BlueHammer,” a proof-of-concept exploit published on GitHub on April 3. Systems with Microsoft Defender disabled are not vulnerable.
CVE-2026-33824 (Windows IKE Service Extensions, CVSS 9.8) and CVE-2026-33827 (Windows TCP/IP, CVSS 8.1) are both unauthenticated, network-exploitable RCE vulnerabilities with wormable characteristics. The IKE vulnerability targets systems with IKE v2 enabled, while the TCP/IP vulnerability affects IPv6/IPsec environments via a race condition.
CVE-2026-33826 (Windows Active Directory, CVSS 8.0) enables authenticated RCE on domain controllers via crafted RPC calls, presenting serious domain compromise risks.
Three Critical RCE vulnerabilities in Microsoft Word and Office (CVE-2026-33115, CVE-2026-33114, CVE-2026-32190) are exploitable through the Preview Pane without opening files, continuing a dangerous pattern from March 2026.
CVE-2026-32157 (Remote Desktop Client, CVSS 8.8) targets users connecting to malicious RDP servers. CVE-2026-23666 (.NET Framework) is a rare Critical-rated Denial of Service vulnerability capable of crippling network-facing .NET applications.
The Secure Boot and BitLocker bypass vulnerabilities are particularly urgent given the Secure Boot certificate expiration deadline on June 26, 2026. Organizations should prioritize validating Secure Boot certificate status across their fleet before this deadline.
Among Chromium-based Edge vulnerabilities, two additional Chromium flaws (CVE-2026-5858 and CVE-2026-5859), both in the WebML API, are rated Critical by Google with $43,000 bounties each and could allow remote code execution via crafted HTML pages.
This release marks the end of Extended Security Updates for Exchange Server 2016 and 2019, leaving on-premises Exchange environments without security coverage moving forward.
Conduct an extensive service exposure evaluation to identify vulnerable services that may be publicly accessible, particularly SharePoint Server, IKE/IPsec endpoints, and IPv6-enabled systems. Take immediate action to address identified vulnerabilities through essential patch deployment or interim security measures such as firewall rules for UDP ports 500 and 4500.
Keep systems up to date by implementing the most recent security updates from Microsoft Patch Tuesday. Follow security rules adapted to unique devices to avoid introducing new vulnerabilities. Thoroughly review configurations of internet-exposed devices and applications, including Secure Boot certificate status verification ahead of the June 26, 2026 expiration deadline.
Prioritize patching the actively exploited and critical vulnerabilities: CVE-2026-32201, CVE-2026-5281, CVE-2026-33825, CVE-2026-33824, CVE-2026-33827, CVE-2026-33826, CVE-2026-33115, CVE-2026-33114, and CVE-2026-32190. These vulnerabilities pose significant exploitation risks including wormable network RCEs and Preview Pane-based Office attacks.
Implement network segmentation to restrict unauthorized access and reduce the impact of potential attacks. This is especially critical given the wormable IKE and TCP/IP vulnerabilities and the Active Directory RCE vulnerability that can enable lateral movement across domain-joined environments.
Adhere to the principle of “least privilege” by giving users only essential permissions needed for their tasks. With Elevation of Privilege vulnerabilities accounting for over 56% of this month’s patches, this strategy is critical to reducing the impact of privilege escalation vulnerabilities.
Initial Access: T1190 (Exploit Public-Facing Application), T1189 (Drive-by Compromise), T1566 (Phishing), T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link)
Execution: T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter), T1059.001 (PowerShell), T1204 (User Execution), T1204.001 (Malicious Link), T1204.002 (Malicious File)
Defense Evasion: T1562 (Impair Defenses), T1562.001 (Disable or Modify Tools), T1553 (Subvert Trust Controls), T1553.005 (Mark-of-the-Web Bypass), T1553.006 (Code Signing Policy Modification)
Privilege Escalation: T1068 (Exploitation for Privilege Escalation), T1542 (Pre-OS Boot), T1542.003 (Bootkit)
Credential Access: T1552 (Unsecured Credentials), T1556 (Modify Authentication Process)
Lateral Movement: T1021 (Remote Services), T1021.001 (Remote Desktop Protocol), T1210 (Exploitation of Remote Services)
Impact: T1499 (Endpoint Denial of Service)
https://msrc.microsoft.com/update-guide/releaseNote/2026-apr
Get through updates and upcoming events, and more directly in your inbox