Microsoft’s April Patch Tuesday has landed, addressing 167 vulnerabilities, including two zero-days, one of which is already being actively exploited.
This month’s release brings scale, complexity and real-world risk. With 167 vulnerabilities addressed and active exploitation already underway, the gap between patching and exposure gets very small, very quickly. For teams already juggling alerts, tools, and limited time, this is where pressure builds.
The question isn’t just what’s been fixed. It’s what actually matters in your environment, and how quickly you can act on it.
On the surface, it looks like another large patch cycle. But the detail underneath is where the risk really sits:
What that actually means is simple.
Attackers don’t need multiple ways in. They need one foothold, then the ability to move.
And with privilege escalation making up the majority, that movement gets a lot easier. That’s where real damage is done.
Two zero-days stand out this month, and both demand attention.
CVE-2026-32201 – SharePoint (Actively Exploited)
A spoofing vulnerability in SharePoint is already being used in attacks. It allows attackers to impersonate trusted content and manipulate or access data within environments.
CVE-2026-33825 – Microsoft Defender (Publicly Disclosed)
A privilege escalation flaw that can grant SYSTEM-level access. Once exploited, attackers can take control of the affected system.
This is the combination that matters.
Initial access doesn’t need to be perfect when escalation paths are this available.
This isn’t just about volume.
It’s about how these vulnerabilities interact.
Individually, these might not seem critical. Together, they create a clear attack path.
And that’s how real incidents happen. Not from one vulnerability, but from chaining several together.
A realistic attack flow this month starts with something simple, like initial access through phishing or an exposed service. From there, a SharePoint vulnerability can be used to gain trust or extend access, before escalating privileges to SYSTEM level through the Defender flaw. Once that level of control is achieved, movement across the environment becomes far easier, leading to data access, persistence, or even ransomware deployment.
None of this relies on sophisticated techniques. It relies on gaps in visibility.
Yes, patching matters. But that’s not where most organisations fail.
The real issue is prioritisation.
167 vulnerabilities doesn’t just mean risk. It means:
And without context, everything looks urgent.
That’s where teams slow down. That’s where risk slips through.
The focus right now should be on what actually reduces risk, not just what looks urgent on paper.
Start by identifying whether SharePoint is exposed in your environment and prioritise patching immediately if it is. From there, ensure Microsoft Defender is fully updated across all endpoints, and take the time to understand where privilege escalation paths exist within your estate. This is where attackers gain real control.
Prioritisation is key. Not every vulnerability in this release carries the same weight, so decisions should be based on exploitability and real-world impact, not just severity scores.
Because while not everything here matters equally, some of it really does.
The problem is what happens next. When risk is spread across multiple tools and stitched together manually, clarity slows down and decisions get harder.
Drop 167 vulnerabilities into that environment and the gap becomes obvious. It’s not a lack of data that causes issues, it’s not knowing what matters most, fast enough.
CybaOps brings vulnerabilities, assets, and active threats into one operational view, so you can prioritise with confidence and act where it counts.
If you would like to view the full report for April 2026, click here.