Full Report
Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities. [...]
Analysis Summary
# Vulnerability: Microsoft April 2026 Patch Tuesday (Highlights)
## CVE Details
- **CVE ID:** CVE-2026-32201
- **CVSS Score:** Not specified in text (Ranked as "Important")
- **CWE:** Improper Input Validation
- **CVE ID:** CVE-2026-33825
- **CVSS Score:** Not specified in text (Ranked as "Important")
- **CWE:** Improper Privilege Management
## Affected Systems
- **Products:**
- Microsoft SharePoint Server
- Microsoft Defender Antimalware Platform
- Microsoft Office (Word and Excel)
- Windows Operating System (various components like Win32K, WalletService, and VBS Enclave)
- **Versions:**
- Microsoft Defender versions prior to **4.18.26050.3011**
- Microsoft SharePoint Server (unspecified versions)
- **Configurations:** Systems with the Microsoft Office Preview Pane enabled are particularly vulnerable to the Office RCE flaws.
## Vulnerability Description
- **CVE-2026-32201 (SharePoint Spoofing):** A spoofing flaw caused by improper input validation. It allows an attacker to manipulate or view sensitive information over a network, though it does not impact service availability.
- **CVE-2026-33825 (Defender EoP):** An elevation of privilege flaw in the Antimalware Platform that allows a local attacker to gain **SYSTEM** privileges on the host machine.
- **Office RCE Flaws:** Multiple bugs in Word and Excel that allow remote code execution when a user opens a malicious document or previews it in the Outlook preview pane.
## Exploitation
- **Status:**
- **CVE-2026-32201:** Exploited in the wild (Zero-day).
- **CVE-2026-33825:** Publicly disclosed (Zero-day).
- **Office RCEs:** PoC status not specified, but categorized as high priority.
- **Complexity:** Low to Medium.
- **Attack Vector:**
- **CVE-2026-32201:** Network.
- **CVE-2026-33825:** Local.
## Impact
- **Confidentiality:** High (Information disclosure in SharePoint and full system access in Defender).
- **Integrity:** High (Modification of information in SharePoint; system-level changes via Defender).
- **Availability:** Low to Medium (SharePoint is unaffected; overall system availability could be compromised via EoP).
## Remediation
### Patches
- **Microsoft Defender:** Update to Antimalware Platform version **4.18.26050.3011** or higher.
- **Microsoft Office/Windows:** Apply cumulative updates released April 14, 2026, via Windows Update or WSUS.
### Workarounds
- Disable the **Preview Pane** in Windows Explorer and Microsoft Outlook to mitigate potential one-click RCE via Office documents.
- Restrict SharePoint access to trusted internal networks only.
## Detection
- **Indicators of Compromise:** Monitor for unusual SYSTEM-level processes spawned by Defender-related executables. Look for unexpected network traffic or unauthorized privilege escalations related to SharePoint service accounts.
- **Detection methods:** Use Windows Event Logs to audit for failed or unexpected credential changes and utilize the Microsoft Security Compliance Toolkit to verify patch compliance.
## References
- hxxps[://]msrc[.]microsoft[.]com/update-guide/en-US/advisory/CVE-2026-32201
- hxxps[://]msrc[.]microsoft[.]com/update-guide/en-US/advisory/CVE-2026-33825
- hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/