Skip to content
.ca
sign in
4 mincritical

Intelligence Center

Microsoft's April 2026 Patch Tuesday addresses 165 vulnerabilities, including 8 critical flaws and one actively exploited zero-day vulnerability in Microsoft Office SharePoint (CVE-2026-32201). The update resolves critical Remote Code Execution (RCE) vulnerabilities across various components such as the Remote Desktop Client, Microsoft Office, Windows IKE, Active Directory, and TCP/IP.

Sens:ImmediateConf:highAnalyzed:2026-04-15reports

Authors: Nick Biasini

Zero-DayRCEPatch TuesdayVulnerabilityCVE-2026-32201

Source:Cisco Talos

Key Takeaways

  • Microsoft's April 2026 Patch Tuesday addresses 165 vulnerabilities, including 8 marked as critical.
  • CVE-2026-32201, an important spoofing vulnerability in Microsoft Office SharePoint, is actively being exploited in the wild.
  • Critical Remote Code Execution (RCE) vulnerabilities affect the Remote Desktop Client, Microsoft Office, Windows IKE, Active Directory, and TCP/IP.
  • CVE-2026-33824 (IKE extension RCE) can be mitigated by blocking inbound UDP ports 500 and 4500 if IKE is not in use.

Affected Systems

  • .NET framework
  • Remote Desktop Client
  • Microsoft Office
  • Microsoft Office Word
  • Windows Internet Key Exchange (IKE)
  • Windows Active Directory
  • Windows TCP/IP
  • Microsoft Office SharePoint
  • Windows Kernel
  • Windows Hello
  • Windows BitLocker
  • Microsoft Defender
  • Windows Search Service
  • Desktop Window Manager

Vulnerabilities (CVEs)

  • CVE-2026-23666
  • CVE-2026-32157
  • CVE-2026-32190
  • CVE-2026-33114
  • CVE-2026-33115
  • CVE-2026-33824
  • CVE-2026-33826
  • CVE-2026-33827
  • CVE-2026-32201
  • CVE-2026-0390
  • CVE-2026-26151
  • CVE-2026-26169
  • CVE-2026-26173
  • CVE-2026-26177
  • CVE-2026-26182
  • CVE-2026-27906
  • CVE-2026-27908
  • CVE-2026-27909
  • CVE-2026-27913
  • CVE-2026-27914
  • CVE-2026-27921
  • CVE-2026-27922
  • CVE-2026-32070
  • CVE-2026-32075
  • CVE-2026-32093
  • CVE-2026-32152
  • CVE-2026-32154
  • CVE-2026-32155
  • CVE-2026-32162
  • CVE-2026-32202
  • CVE-2026-32225
  • CVE-2026-33825

Attack Chain

Attackers are actively exploiting CVE-2026-32201 in Microsoft Office SharePoint to perform spoofing and access sensitive information. Other critical vulnerabilities allow for Remote Code Execution (RCE) via various vectors, such as connecting to malicious servers (RDP), opening crafted files locally (Office), or sending specially crafted packets over the network (IKE, TCP/IP, RPC).

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: Yes
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Snort

Cisco Talos has released Snort and Snort 3 rules to detect attempts to exploit several of these vulnerabilities.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-exploitation activity such as anomalous child processes from Office applications or RDP clients, but may lack visibility into the specific network-level exploitation of IKE or TCP/IP. Network Visibility: High — Many of the critical vulnerabilities (IKE, TCP/IP, RPC) rely on specially crafted network packets, which can be detected by IDS/IPS systems like Snort. Detection Difficulty: Moderate — While network signatures exist for some exploits, detecting local exploitation (e.g., Office UAF) relies heavily on behavioral monitoring and identifying anomalous post-exploitation actions.

Required Log Sources

  • Network IDS/IPS logs
  • Windows Event Logs (System, Security)
  • Application Logs (SharePoint)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous child processes spawning from Microsoft Office applications (Word, Excel) which may indicate successful exploitation of CVE-2026-32190, CVE-2026-33114, or CVE-2026-33115.Endpoint process execution logs (Event ID 4688 or Sysmon Event ID 1)ExecutionLow to Medium
Monitor for unusual inbound UDP traffic on ports 500 and 4500 targeting Windows machines where IKE is not expected, potentially indicating CVE-2026-33824 exploitation attempts.Network traffic logs / Firewall logsInitial AccessLow

Control Gaps

  • Lack of network segmentation for RPC traffic
  • Unpatched external-facing SharePoint servers

Key Behavioral Indicators

  • Unexpected child processes from Office applications
  • Anomalous RPC calls within restricted AD domains
  • Spoofing indicators in SharePoint access logs

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply Microsoft's April 2026 security updates immediately, prioritizing external-facing SharePoint servers and critical systems.
  • Block inbound traffic on UDP ports 500 and 4500 if Windows Internet Key Exchange (IKE) is not in use to mitigate CVE-2026-33824.

Infrastructure Hardening

  • Ensure IPSec and IPv6 configurations are securely managed and monitored to reduce the attack surface for CVE-2026-33827.
  • Restrict RPC communication within Active Directory domains to necessary hosts to mitigate CVE-2026-33826.

User Protection

  • Educate users on the risks of connecting to untrusted Remote Desktop servers to prevent CVE-2026-32157 exploitation.
  • Deploy endpoint protection to monitor for anomalous behavior originating from Microsoft Office applications.

Security Awareness

  • Inform staff about the active exploitation of SharePoint vulnerabilities and the importance of reporting suspicious document access or modifications.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
  • T1068 - Exploitation for Privilege Escalation

Related