Skip to content
.ca
sign in
4 mincritical

Microsoft addresses 163 CVEs, 88 advisories for April Patch Tuesday

Microsoft's April 2026 Patch Tuesday addresses 163 CVEs across 17 product families, including 8 Critical vulnerabilities and one actively exploited zero-day (CVE-2026-32201 in SharePoint). Organizations should prioritize patching the exploited SharePoint flaw, the publicly disclosed Defender bug (CVE-2026-33825), and a highly critical 9.8 CVSS RCE in Windows IKE (CVE-2026-33824).

Sens:ImmediateConf:highAnalyzed:2026-04-18reports

Authors: Angela Gunn

Patch TuesdayVulnerabilityCVE-2026-33824MicrosoftCVE-2026-32201

Source:Sophos

Key Takeaways

  • Microsoft released 163 patches for April 2026, including 8 Critical vulnerabilities and 18 with a CVSS base score of 8.0 or higher.
  • CVE-2026-32201 (SharePoint Spoofing) is currently known to be under active exploit in the wild.
  • CVE-2026-33825 (Microsoft Defender Elevation of Privilege) was publicly disclosed prior to Patch Tuesday.
  • CVE-2026-33824 is a Critical RCE in Windows Internet Key Exchange (IKE) with a CVSS score of 9.8, requiring immediate patching or UDP port 500/4500 mitigation.
  • Elevation of Privilege vulnerabilities represent the vast majority of April's CVEs, with Windows being the most affected product family.

Affected Systems

  • Windows
  • Microsoft 365
  • Microsoft Office
  • .NET
  • Microsoft Excel
  • Azure
  • SQL Server
  • Visual Studio
  • SharePoint
  • Microsoft Defender
  • Dynamics 365
  • Windows Server

Vulnerabilities (CVEs)

  • CVE-2026-32201
  • CVE-2026-33824
  • CVE-2026-33825
  • CVE-2026-32190
  • CVE-2026-33114
  • CVE-2026-33115
  • CVE-2026-26151

Attack Chain

Attackers can exploit CVE-2026-32201 to spoof users and access or modify data in SharePoint, potentially aiding social engineering campaigns. For initial access or lateral movement, attackers could leverage CVE-2026-33824 by sending crafted IPsec packets to vulnerable IKE services, achieving remote code execution. Local attackers might then use CVE-2026-33825 in Microsoft Defender to elevate privileges and solidify persistence on the compromised host.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Sophos Intercept X, Sophos XGS Firewall

Sophos provides IPS signatures (SIDs) and endpoint protections for several of the addressed vulnerabilities, including the actively exploited CVE-2026-32201 and the publicly disclosed CVE-2026-33825.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-exploitation behaviors such as unusual child processes from SharePoint or Defender, but might not see the initial network-level IKE exploit. Network Visibility: Medium — Network sensors can detect anomalous IKE/IPsec traffic (UDP 500/4500) or known exploit signatures for SharePoint, but encrypted payloads may obscure visibility. Detection Difficulty: Moderate — While patches and vendor signatures are available, detecting the specific exploitation of these CVEs without dedicated IPS signatures requires baseline behavioral monitoring of affected services.

Required Log Sources

  • Windows Event Logs
  • IIS Logs
  • Network Flow Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual child processes spawned by SharePoint worker processes (w3wp.exe) which may indicate post-exploitation activity related to CVE-2026-32201.Process creation events (Event ID 4688 or Sysmon Event ID 1)ExecutionLow
Monitor for unexpected inbound UDP traffic on ports 500 and 4500 from unknown peers, potentially indicating CVE-2026-33824 exploitation attempts.Network flow logs or firewall logsInitial AccessMedium

Control Gaps

  • Unpatched internet-facing SharePoint servers
  • Lack of network segmentation for IPsec/IKE traffic

Key Behavioral Indicators

  • Anomalous w3wp.exe process ancestry
  • Unexpected Defender service crashes or privilege escalations

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply April 2026 Microsoft security updates, prioritizing internet-facing systems and domain controllers.
  • Patch CVE-2026-32201 (SharePoint) and CVE-2026-33824 (IKE) immediately.
  • If CVE-2026-33824 cannot be patched, block inbound UDP ports 500 and 4500 for systems not using IKE, or restrict to known peers.

Infrastructure Hardening

  • Review and restrict IPsec/IKE configurations to trusted IP ranges.
  • Ensure Microsoft Defender is actively updating its signatures and engines.

User Protection

  • Educate users on the new security warnings in the Remote Desktop Connection app when opening RDP files (CVE-2026-26151).

Security Awareness

  • Monitor vendor threat intelligence for updates on the active exploitation of CVE-2026-32201.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1068 - Exploitation for Privilege Escalation
  • T1036 - Masquerading

Additional IOCs

  • Other:
    • SID:2312418 - Sophos IPS signature for CVE-2026-32201
    • SID:2312409 - Sophos IPS signature for CVE-2026-33825
    • ATK/BHammer-A - Sophos detection for CVE-2026-33825
    • Troj/JSExp-Y - Sophos detection for CVE-2026-32202

Related