Microsoft's April 2026 Patch Tuesday: 163 Vulnerabilities, Two Zero-Days, and Why Your Organisation Cannot Afford to Wait

Microsoft's April 2026 Patch Tuesday has landed with a staggering 163 security fixes — the second-largest patch release in the company's history. Among them are two zero-day vulnerabilities, one already being actively exploited in the wild, and eight critical flaws that could allow remote code execution across enterprise infrastructure. For Australian organisations running Microsoft environments, this is not a routine update cycle — it demands immediate attention.

What Happened

On 14 April 2026, Microsoft released patches for 163 CVEs spanning Windows, SharePoint, Office, Active Directory, and Microsoft Defender. The most pressing is CVE-2026-32201, a SharePoint Server spoofing vulnerability with a CVSS score of 6.5 that is confirmed as exploited in the wild. It allows unauthenticated remote attackers to exploit an input validation weakness and access sensitive information without any user interaction. SharePoint 2016, 2019, and Subscription Edition are all affected.

The second zero-day, CVE-2026-33825, is an elevation of privilege flaw in Microsoft Defender scoring 7.8 on the CVSS scale. Dubbed "BlueHammer" by the security community, proof-of-concept exploit code was published on GitHub by a researcher known as "Chaotic Eclipse" on 3 April — a full eleven days before Microsoft issued a fix. A local attacker with low-level access can leverage this flaw to escalate to SYSTEM-level privileges, making it a potent post-compromise tool.

Why It Matters

The sheer scale of this release is significant: 57 per cent of the patched vulnerabilities are elevation of privilege flaws, reflecting the ongoing trend of attackers seeking to move laterally and escalate access once inside a network. With CVE-2026-33824 — a critical unauthenticated remote code execution vulnerability in the Windows IKE Service scoring 9.8 — organisations running VPN infrastructure face particular risk. For Australian businesses subject to the Security of Critical Infrastructure Act and the Australian Signals Directorate's Essential Eight framework, delayed patching of actively exploited vulnerabilities represents a material compliance gap.

The BlueHammer Defender exploit is especially concerning because it was publicly available for nearly two weeks before the patch dropped. Any organisation that relies on Microsoft Defender as its primary endpoint protection may have been exposed during that window.

What Security Teams Should Do Now

• Prioritise patching SharePoint Server immediately — CVE-2026-32201 is confirmed as actively exploited and requires no authentication or user interaction to trigger.

• Deploy the Microsoft Defender update (CVE-2026-33825) across all endpoints without delay. Review logs for signs of privilege escalation activity dating back to early April when the BlueHammer exploit was first published.

• Assess exposure to the Windows IKE vulnerability (CVE-2026-33824, CVSS 9.8). If immediate patching is not feasible, implement firewall rules restricting inbound UDP traffic on ports 500 and 4500.

• Review Active Directory environments for susceptibility to CVE-2026-33826 (CVSS 8.0), which allows authenticated attackers within the same domain to achieve remote code execution via crafted RPC calls.

• Audit Office deployments — three critical RCE vulnerabilities (CVE-2026-32190, CVE-2026-33114, CVE-2026-33115) are exploitable through the Preview Pane alone, requiring no user action beyond viewing a malicious file.

• Conduct a broader vulnerability assessment to identify any systems that may have missed previous patch cycles, compounding the risk from this month's disclosures.

Aurian's Take

This patch cycle underscores a persistent truth about the modern threat landscape: the volume and velocity of vulnerabilities are outpacing many organisations' capacity to respond. With 163 CVEs in a single release — including critical flaws in foundational services like Active Directory, IKE, and Remote Desktop — the attack surface facing enterprise environments is expanding faster than most security teams can manage through patching alone. The BlueHammer incident, where exploit code preceded the official fix by nearly two weeks, highlights the growing tension between responsible disclosure timelines and real-world adversary behaviour.

This is precisely where regular penetration testing and security assurance deliver measurable value. A comprehensive security assessment does not simply validate whether patches have been applied — it identifies the misconfigurations, access control weaknesses, and lateral movement paths that attackers exploit when they breach the perimeter. At Aurian, we routinely find that organisations which invest in periodic penetration testing are better positioned to weather exactly this kind of disclosure storm, because they have already mapped their exposure and hardened the paths that matter most.

Microsoft's April 2026 Patch Tuesday is a reminder that cybersecurity is not a set-and-forget exercise — it requires continuous vigilance, proactive testing, and the ability to respond decisively when the threat landscape shifts beneath your feet.

To find out how Aurian can help your organisation assess its exposure, get in touch.