April 2026 Patch Tuesday: 167 CVEs, Two Zero-Days, and a Deadline You Cannot Afford to Miss
Right now, attackers are exploiting a Microsoft SharePoint vulnerability to gain access to businesses. The patch became available yesterday. A significant number of organisations have not yet deployed it.
That is April 2026 Patch Tuesday in a single sentence. This month’s release is the second largest in Microsoft’s history: 167 CVEs, eight rated Critical, seven of those involving remote code execution. In this episode, I walk through every vulnerability that matters and give you a clear, prioritised action list.
If you prefer to listen first, the episode is eight minutes. The action list is the same either way.
Why This Month Requires Immediate Attention
The volume alone would be significant. But volume is not the issue this month: it is the combination of confirmed exploitation, widely available proof-of-concept code, and a separate infrastructure deadline that makes April 2026 an unusually high-pressure month.
Two of this month’s CVEs are zero-days. One was already in use against real targets before the patch was released. The other has working exploit code on a public platform that anyone can download and use today.
There is also a Secure Boot certificate expiry on 26 June. That is eleven weeks from now. This month’s update begins the rollout of replacement certificates. The window to act before the deadline is narrower than it looks.
The SharePoint Zero-Day Being Exploited Right Now
CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint with a CVSS score of 6.5. Security analysts have noted that score is understated relative to the real-world risk.
The reason is the attack conditions required: none. No login. No internal network access. No elevated permissions. An external attacker can reach an internet-facing SharePoint server directly and exploit this vulnerability without any credentials at all. Exploitation has been confirmed by Microsoft in this month’s release notes.
If your business runs SharePoint on-premises and that server has any internet exposure, this is your first task today. Not after lunch, not when you get a moment: first thing.
If patching immediately is not possible, the interim step is to remove direct internet exposure from the SharePoint server while you schedule the maintenance window. A server that cannot be reached from outside cannot be exploited remotely. It is not a permanent solution, but it eliminates the immediate risk.
It is worth noting that SharePoint has featured in significant UK data breaches before this vulnerability. The Lawcover incident covered on this site is a useful reminder of what happens when SharePoint configuration is not treated as a security matter. You can read that analysis here: Lawyers, Judges, and a Bloody SharePoint Backup.
The Defender Flaw with Working Exploit Code on GitHub
CVE-2026-33825 is a privilege escalation vulnerability in Microsoft Defender. Unlike the SharePoint flaw, this one has not yet been used in confirmed attacks. That is the only reassuring thing about it.
Proof-of-concept exploit code has been publicly available on GitHub since 3 April. Anyone who wants to attempt this exploit can find the code and run it. The patch is now available. By end of business today, there is no legitimate reason to remain unpatched against a publicly known privilege escalation flaw in your endpoint security product.
The combination of a public exploit and a patch makes this straightforward: patch. Privilege escalation vulnerabilities allow an attacker who has already gained basic access to your system to elevate themselves to administrator level. Patching Defender does not protect against the initial access, but it does remove the escalation step.
The 9.8 Critical in Windows Internet Key Exchange
CVE-2026-33824 sits at the top of the CVSS severity scale at 9.8. It affects Windows Internet Key Exchange (IKEv2), the component that handles secure communications between systems.
The attack conditions are the same concern as the SharePoint flaw: unauthenticated, remote, no credentials required. The difference is that this one has not yet been exploited in the wild. Microsoft rates exploitation as likely.
If you cannot deploy the patch immediately, the interim mitigation is a firewall rule restricting IKEv2 traffic on UDP port 500 from untrusted external sources. That is a targeted configuration change your IT support should be able to implement in under thirty minutes. It reduces exposure while you schedule the full patch deployment.
Beyond Microsoft: Fortinet, SAP, Chrome, and wolfSSL
This month’s patch activity extends well beyond the Microsoft release. Four other items require attention depending on your environment.
Fortinet FortiClient EMS has a critical vulnerability under active exploitation right now: CVE-2026-35616. This sits at equal priority to the SharePoint flaw. If FortiClient runs in your environment, your IT team needs to address this today alongside SharePoint.
SAP Business Planning and Consolidation has a critical SQL injection flaw in this month’s release. If your business uses SAP, confirm with your IT support or SAP partner that this update is scheduled for immediate deployment.
Google Chrome fixed a zero-day this month. If Chrome is your browser, open it now and check the three-dot menu for pending updates. This is a thirty-second task.
wolfSSL has a forged certificate vulnerability affecting any development team using that library in their applications. If your business has software developers, ensure this is on their patching list this week.
The Secure Boot Deadline: 26 June 2026
This is the issue with the longest lead time but the hardest deadline.
Microsoft issued Secure Boot certificates in 2011. Those certificates expire on 26 June 2026. This month’s Patch Tuesday update is part of the phased rollout to replace them with updated certificates. After expiration, systems without updated certificates lose Secure Boot protection against bootkit malware, including BlackLotus, which was used in attacks throughout 2023 and 2024.
The deadline is eleven weeks away. It will not move. The update process requires multiple steps and Microsoft has phased the rollout to give organisations time to validate compatibility before the deadline forces the issue.
The action for this month is to check your Secure Boot certificate status before the end of April. Your IT support should be able to confirm this is in progress. If it has not been started, escalate it now. Eleven weeks sounds like a comfortable margin. It is not, once you factor in compatibility testing across multiple device types and any business systems with specific boot requirements.
The Pattern That Should Inform Your Approach
December 2025. January 2026. February 2026 brought six actively exploited zero-days in a single month. March 2026. April 2026.
Every month of 2026 has included at least one actively exploited zero-day in Microsoft’s release. The frequency of confirmed exploitation is higher than the equivalent period in 2025. Attackers are finding and using vulnerabilities faster than many organisations are deploying patches.
The strategic implication is straightforward: a patching process that treats updates as a monthly batch job run at convenience is no longer sufficient. A process that prioritises and deploys Critical and actively exploited vulnerabilities within 24 to 48 hours of release, with lower-rated CVEs following on a scheduled cycle, is what the current threat environment requires. We covered how to structure that process in our earlier Patch Tuesday episodes, linked at the bottom of this article.
How to Turn This Into a Competitive Advantage
Patching is invisible when it works and catastrophic when it does not. That asymmetry is exactly why treating it as a documented, audited process gives you a genuine competitive edge.
When clients, partners, or insurers ask about your security posture, being able to demonstrate a written patching policy with defined timelines, documented deployment records, and a specific process for Critical vulnerabilities is a meaningful differentiator. Most businesses of your size have no documentation at all. Some have a policy that exists only on paper and is not followed in practice.
Cyber Essentials certification requires patch management controls. If you are certified or working towards certification, a structured patching process strengthens your audit position. If you are pursuing contracts in sectors that require Cyber Essentials Plus, documented patch deployment records are part of the evidence base. You can read more about building that compliance foundation in our earlier analysis of cyber insurance claims that have been denied due to poor patch hygiene.
How to Sell This to Your Board
Three arguments work for executive audiences.
Confirmed exploitation means the risk is not theoretical. CVE-2026-32201 and CVE-2026-35616 are not hypothetical risks. They are documented, ongoing attacks. The question for the board is not whether to take this seriously but whether the organisation has the capability to respond within the required timeframe.
The cost of patching is fixed. The cost of a breach is not. A managed patch deployment this week costs IT support time. A successful exploit against an unpatched SharePoint server costs incident response, potential notification obligations under UK GDPR, reputational damage, and possible ICO investigation. The comparison is not close.
The Secure Boot deadline has a hard date. 26 June is not a guideline. Systems that miss the update window lose a layer of protection that cannot be retrospectively applied after expiry in the same way. The board should be asking for confirmation that this is in the current IT plan, with a completion date before the deadline.
What This Means for Your Business
-
Run Windows Update today. For Windows 11 versions 24H2 and 25H2, look for KB5083769. For Windows 10 on extended support, that is KB5082200. Do not wait for the next scheduled maintenance window.
-
Treat SharePoint as priority one if it faces the internet. CVE-2026-32201 is confirmed exploitation. If patching cannot happen immediately, remove internet exposure from that server as an interim measure and schedule the patch for the earliest possible maintenance window.
-
Escalate FortiClient EMS if it is in your environment. CVE-2026-35616 sits at the same urgency level as the SharePoint flaw. Your IT support or MSP needs to be aware of this today.
-
Check your Secure Boot certificate status before 30 April. Give yourself a buffer before the 26 June deadline. Ask your IT support to confirm the update is either already deployed or scheduled with a specific completion date.
-
Review your patching process structure. If your current approach relies on monthly batch updates at convenience, this month’s release is a concrete example of why that timeline creates unacceptable exposure. A tiered process, with Critical and exploited vulnerabilities prioritised within 24 to 48 hours, is the standard your business should be operating to. Our earlier episode on building a practical cyber recovery plan covers how patching fits into your broader resilience framework.
| Source | Article |
|---|---|
| Microsoft MSRC | Microsoft Security Update Guide: April 2026 Release Notes |
| BleepingComputer | Microsoft April 2026 Patch Tuesday Analysis |
| Tenable | Microsoft’s April 2026 Patch Tuesday Covers 167 CVEs |
| Computer Weekly | April 2026 Patch Tuesday: Key Vulnerabilities Covered |
| Help Net Security | April 2026 Patch Tuesday Forecast |
| WindowsReport | KB5083769: What You Need to Know |
| CISA | Known Exploited Vulnerabilities Catalogue |
| Fortinet | FortiGuard PSIRT Advisory: CVE-2026-35616 |