Back to Blog

Microsoft Patched 167 Vulnerabilities Two Weeks Ago. One Is Being Actively Exploited Right Now.

April's Patch Tuesday dropped on April 14. That was thirteen days ago. And there's a zero-day in Microsoft SharePoint that attackers are actively using in the wild right now, today, against real targets.[1]

I don't write about patches every week for the fun of it. But this one matters. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to their Known Exploited Vulnerabilities catalog and set a remediation deadline of April 28 for federal civilian agencies.[2] That's tomorrow. And the thing about CISA adding something to that list is, they only do it when exploitation is confirmed and ongoing, not theoretical.

What's Actually in This Month's Update

Microsoft patched 167 vulnerabilities in April.[1] Eight of them are rated Critical. Two are zero-days, meaning the flaws existed and were known to attackers before Microsoft had a fix ready.

The one getting real attention is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server. The CVSS score is 6.5, which sounds middling until you factor in the context: no authentication required, no user interaction, actively being exploited right now.

What it lets an attacker do: send specially crafted requests to a vulnerable SharePoint server and view or tamper with sensitive information without ever logging in.[3] Affected versions are SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. As of this week, over 1,300 SharePoint servers exposed to the internet have still not been patched.[4]

If you're running SharePoint on your own servers and you haven't applied April's updates, there's a real chance yours is one of those 1,300.

The Other Zero-Day: "BlueHammer"

The second zero-day is CVE-2026-33825, which researchers have nicknamed BlueHammer. It's a privilege escalation bug in Windows Defender, meaning an attacker who already has a foothold on a machine can use it to gain higher-level access.[1]

Microsoft says it's been publicly disclosed but hasn't confirmed active exploitation yet. That gap closes fast. Once a bug is public and a patch exists, skilled attackers reverse-engineer the fix to understand exactly how to exploit it. The window between "disclosed" and "used in the wild" has gotten significantly shorter over the past few years.

There's Also a CVSS 9.8 Remote Code Execution Bug

CVE-2026-33824 is a critical remote code execution vulnerability in Windows Internet Key Exchange (IKE) Service, with a severity score of 9.8 out of 10.[5] An unauthenticated attacker can send specially crafted network packets and execute arbitrary code on a vulnerable Windows machine. No credentials. No user interaction. Just packets.

For most small offices, this service isn't exposed directly to the internet. But if you have machines configured for VPN or IPsec tunnels that face outward, this is relevant to you.

The SharePoint vs. SharePoint Online Distinction

Here's something worth clarifying, because I've seen this confusion come up a lot. If your business uses SharePoint through Microsoft 365 (what used to be called Office 365), you're on SharePoint Online. Microsoft manages the infrastructure and applies security patches on the backend. You don't have to do anything for CVE-2026-32201.

If, on the other hand, you're running SharePoint on a server that your company owns or manages, that's on-premises SharePoint. You're responsible for patching it. That's a meaningful distinction, and it's where the 1,300 exposed servers are coming from.

Not sure which one you have? Your IT person should know immediately. If there's any hesitation there, that's worth noting.

What You Should Do Today

Check Windows Update. Open Settings, go to Windows Update, and see what's pending. If you're running Windows 11, look for KB5083769, the April cumulative update.[1] Install it.

If you manage your own servers, SharePoint patches are not delivered through Windows Update automatically, they come through the SharePoint update channels separately. Your server administrator needs to apply those manually.

While you're at it: verify that Windows Update is set to download and install automatically on your machines. For a lot of small businesses, the default gets changed at some point and nobody notices. That's how a two-week-old patch sits uninstalled when there's an active exploit circulating.

This is also a decent reminder of why having a managed IT partner matters. Part of what we do is make sure updates like this don't get missed. Not because we're checking every day manually, but because we have systems that monitor patch status and flag deviations. You shouldn't have to keep track of every CVE number. That's what we're here for.