Microsoft on Tuesday released an update that addresses a record 169 security flaws across its product portfolio, including one vulnerability that is being exploited in the wild.
Of these 169 vulnerabilities, 157 were rated as important, eight were rated as critical, three were rated as medium, and one was rated as low severity. 93 of the flaws were classified as privilege escalation, followed by 21 information disclosure, 21 remote code execution, 14 security feature bypass, 10 impersonation, and nine denial of service vulnerabilities.
The 169 flaws also include four non-Microsoft-issued CVEs affecting AMD (CVE-2023-20585), Node.js (CVE-2026-21637), Windows Secure Boot (CVE-2026-25250), and Git for Windows (CVE-2026-32631). This update adds to the 78 vulnerabilities that have been addressed in the Chromium-based Edge browser since an update was released last month.
This release marks the second-largest Patch Tuesday ever, just shy of the record set in October 2025, when Microsoft addressed 183 major security flaws. “At this rate, more than 1,000 Patch Tuesday CVEs per year will be the norm by 2026,” said Satnam Narang, senior staff research engineer at Tenable.
“Not only that, but privilege escalation bugs have continued to dominate Patch Tuesday cycles over the past eight months, accounting for 57% of all CVEs patched in April, while remote code execution (RCE) vulnerabilities have dropped to just 12%, tied with information disclosure vulnerabilities this month.”
The vulnerability currently being exploited is CVE-2026-32201 (CVSS score: 6.5), a spoofing vulnerability affecting Microsoft SharePoint Server.
“Inadequate input validation in Microsoft Office SharePoint could allow an unauthorized attacker to perform impersonation on your network,” Microsoft said in an advisory. “An attacker who successfully exploits this vulnerability could view some sensitive information (Sensitivity) or change the disclosed information (Integrity), but would not be able to restrict access to resources (Availability).”
Although this vulnerability was discovered internally, it is currently unclear how it is being exploited, who is behind the activity, and its scale.
“This zero-day vulnerability in Microsoft SharePoint Server is caused by improper input validation, allowing an attacker to spoof trusted content or interfaces on the network,” said Mike Walters, president and co-founder of Action1.
“By exploiting this flaw, an attacker can manipulate how information is presented to the user and potentially trick the user into trusting malicious content. While the direct impact on data is limited, the ability to fool the user makes this a powerful tool for broader attacks.”
Due to the active exploitation of CVE-2026-32201, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog and required Federal Civilian Executive Branch (FCEB) agencies to fix the flaw by April 28, 2026.
Another notable vulnerability is the Microsoft Defender privilege escalation flaw (CVE-2026-33825, CVSS score: 7.8), which was reported as known at the time of release. According to Redmond, this vulnerability could allow a privileged attacker to locally escalate their privileges by leveraging Defender’s lack of appropriate fine-grained access controls.
Microsoft stated that no user interaction is required to install updates for CVE-2026-33825 as the platform is updated frequently by default. A system with Microsoft Defender disabled is not in an exploitable state.
One of the most severe vulnerabilities is a remote code execution case that affects the Windows Internet Key Exchange (IKE) service extension. Tracked as CVE-2026-33824, this security flaw has a CVSS score of 9.8 out of 10.0.
“An exploit would require an attacker to send a specially crafted packet to a Windows machine that has IKE v2 enabled, potentially leading to remote code execution,” Adam Barnett, principal software engineer at Rapid7, said in a statement.
“While vulnerabilities leading to unauthenticated RCE on modern Windows assets are relatively rare, we would otherwise see many more self-propagating wormable vulnerabilities across the Internet. However, IKE provides a secure tunnel negotiation service for things like VPNs, which necessarily exposes it to untrusted networks and is reachable in a pre-authentication context.”
Walters noted that this security flaw poses a serious threat to corporate environments, especially those that rely on VPNs and IPsec for secure communications. Successful exploitation of this vulnerability could result in a complete compromise of the system, allowing a malicious party to steal sensitive data, disrupt operations, or move across the network.
“This is particularly dangerous for internet-connected systems due to the lack of necessary user interaction. The low complexity of the attack and system-wide impact make it a prime candidate for rapid weaponization,” Walters added. “Internet-facing systems running IKEv2 services are particularly at risk, and delays in patch deployment increase their exposure to widespread attacks.”
Source link
