Microsoft April Patch Tuesday: Critical Fixes and Urgent Updates

April 2026 Patch Tuesday: What you need to know

Patching is a strategic priority

April 2026’s Patch Tuesday includes over 160 vulnerabilities, but the real story is not volume.  It is how these vulnerabilities can be combined into a complete attack chain.  This month is dominated by 90+ Elevation of Privilege vulnerabilities, alongside 20 Remote Code Execution vulnerabilities.  There is one confirmed exploited vulnerability and one publicly disclosed issue.

At first glance this may appear lower risk due to limited active exploitation, but that would be a mistake.  This release highlights a clear shift in attacker behaviour, rather than relying on a single critical vulnerability, attackers are increasingly assembling reliable attack chains using low-friction entry points, abundant privilege escalation opportunities, and weaknesses in trusted platforms.  With models like Anthropic’ s Claude Mythos now demonstrating autonomous zero-day discovery and exploit chaining, this approach is only becoming easier and faster.

For CISOs and the teams that support them, the priority is no longer patching by severity alone.  It is understanding how vulnerabilities connect and where the real risk sits.

Privilege Escalation: The Enabler

With 94 EoP vulnerabilities, once an attacker gains any foothold, moving to higher privileges becomes disturbingly straightforward.  CVE-2026-33825 (Microsoft Defender Elevation of Privilege) publicly disclosed and rated "Exploitation More Likely".  It weakens a core security control, it could allow attackers to elevate within a trusted context and establish persistence, turning a single compromise into an organization wide threat.‍

Trusted Platforms Can Be Weaponized

CVE-2026-32201 (Microsoft SharePoint Server Spoofing) is the most notable vulnerability this month as it is already being exploited in the wild.  Although classified as spoofing, it lets attackers abuse a trusted internal platform for credential harvesting, targeted phishing, or seamless lateral movement that blends into normal business activity. 

The Attack Chain You Should Be Prioritizing

The biggest risk this month isn’t any single CVE but it’s how they connect:

1. Gain initial access via a Preview Pane vector (e.g., Office RCEs like CVE-2026-32190, CVE-2026-33114/33115), an RDP client flaw (CVE-2026-32157), or a network-facing service (e.g., IKE or TCP/IP RCEs).
2. Escalate privileges using the abundance of EoP flaws (including the Defender issue).
3. Leverage the exploited SharePoint spoofing flaw for lateral movement and persistence inside the environment.

This is a complete, realistic attack path built entirely from vulnerabilities in this release. 

How You Become the Hero This Month

The organisations that stand out this April won’t be the ones that patch the most vulnerabilities, they’ll be the ones that patch the right vulnerabilities first.

Focus on your unique Patch Risk Profile:

• Prioritise initial access vectors first & pay special attention to Office Preview Pane risks, the Remote Desktop Client flaw (CVE-2026-32157), and network-facing services such as IKE and TCP/IP.
• Treat privilege escalation as urgent, especially with Mythos-level AI making chaining much more accessible.
• Fast-track Attack Chain vulnerabilities, even when rated “Important”.
• Leverage Endpoint Resilience: Absolute enables rapid rehydration to a golden image, restoring thousands of devices in hours rather than days through firmware-embedded persistence.
• When attack chains succeed, the organisations that recover fastest are the ones that stop downtime.

Patch smart. Build resilience. Happy patching. 

See the April 2026 Patch Tuesday Chart (PDF).