Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day Exploited + Wormable TCP/IP RCE

#Patch Tuesday triage for operators who don't have a week

I'll keep this one short because the operational question matters more than the analysis. April 14, 2026 dropped 167 Microsoft CVEs and an emergency Adobe Acrobat patch that had been under active exploitation for four months. Some of you are reading this on Tuesday night. You don't have time for a 3000-word deep dive.

So here's the triage list. What has to be patched in 24 hours, what can wait until next week, and what's probably marketing noise. If you run Windows, SharePoint, or anything that opens PDFs, the first list applies to you.

#The headline

April 14, 2026. Microsoft's April Patch Tuesday shipped fixes for 167 vulnerabilities, two of which are zero-days. Adobe joined the party with a critical out-of-band patch for Acrobat Reader that had been exploited in the wild for four months before disclosure.

If you run a Windows environment, SharePoint, or anything that opens PDFs, drop everything and patch. The operational tempo matters here: the actively-exploited SharePoint bug requires no authentication, no user interaction. And is already being weaponized by ransomware affiliates and state actors. This isn't a speculative "patch when you can" advisory. It's a live-fire situation.

The priority breakdown, the technical mechanics, and the 72-hour patching plan.

#Tier 1: Patch immediately

#CVE-2026-32201. SharePoint spoofing, actively exploited

• CVSS: 8.6 (high)
• Attack vector: Network, unauthenticated, no user interaction
• Affected: Microsoft SharePoint Server 2019 and Subscription Edition (cloud SharePoint Online isn't affected. Microsoft already patched the managed service side)
• Status: Actively exploited in the wild as of patch release

The root cause is an improper input validation flaw in SharePoint's request handling that lets a remote attacker send a crafted request which makes SharePoint trust attacker-supplied content as if it originated from a legitimate user session.

Practical impact per Microsoft's exploitability index: attacker can access limited sensitive data on the SharePoint instance and modify content. That sounds mild. In practice it's not. "Access sensitive data" in a SharePoint context means reading documents that users store believing they're protected by ACL. "Modify content" means uploading weaponized documents into SharePoint libraries that are then trusted by downstream users.

What's being exploited right now per ZDI, Tenable, and Rapid7 telemetry:

• Initial access brokers using CVE-2026-32201 to plant webshells in SharePoint libraries
• Documents modified to include malicious macros, then shared through normal SharePoint sharing flows (the attack looks like it comes from trusted internal users)
• Credential harvesting against SharePoint Service Accounts via injected content
• Data exfiltration from document libraries

Microsoft is actively tracking ransomware affiliate groups, Volt Typhoon (Chinese state-aligned). And at least one financially motivated actor exploiting this bug for initial access. If you run on-prem SharePoint and haven't patched, assume you're already being scanned and possibly compromised.

Action: install the April 2026 SharePoint security update immediately. If you can't patch within 24 hours, implement the workaround: block anonymous requests at the edge and force SAML authentication for every SharePoint request. If you've been exposed for any length of time since patch release, run compromise assessment across SharePoint Service Accounts, document libraries. And any workflow that references SharePoint content.

#CVE-2026-33825. Microsoft Defender elevation of privilege, publicly known

• CVSS: 7.8 (high)
• Attack vector: Local
• Status: Publicly known. Active exploitation not yet confirmed but expected

A local privilege escalation in Microsoft Defender's own service. An attacker with low-privilege code execution on a Windows endpoint can escalate to SYSTEM by abusing a permissions flaw in how Defender handles certain filesystem operations.

Why it matters: Defender is one of the most privileged services on a Windows box. If the endpoint protection can be subverted into running attacker code as SYSTEM, defense-in-depth collapses. The thing that was supposed to catch malware becomes the pivot point.

Combined with any remote code execution on user-level (malicious Office doc, phishing implant, another CVE), this bug completes the kill chain from "user got phished" to "attacker has SYSTEM on the box."

Action: patch. Every Windows endpoint with Defender installed.

#CVE-2026-33827. Windows TCP/IP RCE, potentially wormable

• CVSS: 9.8 (critical)
• Attack vector: Network, unauthenticated, no user interaction
• Requires: IPv6 + IPsec enabled (the default in domain environments and many public-facing Windows servers)
• Status: Not yet observed in the wild, but the exploit-primitive profile is high

The nightmare scenario. A remote, unauthenticated attacker sends crafted packets to a Windows machine with IPv6 + IPsec and gets arbitrary code execution at the kernel level. No user interaction. No authentication. The only pre-requisite is that the target has IPv6 and IPsec on. Which is default in Active Directory environments.

Why "potentially wormable". If the exploit is reliable (Microsoft's exploitability index currently rates it "Exploitation More Likely"), a worm could propagate across LANs without user action the way WannaCry and NotPetya did in 2017. Those two events between them cost organizations tens of billions of dollars.

Microsoft hasn't confirmed public exploitation yet, but the Patch Tuesday disclosure is the starting gun. Expect reverse-engineering of the patch to produce exploit primitives within 2-4 weeks. Ransomware crews will weaponize it as fast as WannaCry's EternalBlue was weaponized.

Action: patch. If you run domain controllers, email servers, file servers, or anything else with IPv6 + IPsec and internet exposure, patch in the next 48 hours at most.

#Adobe Reader CVE-2026-34621. Four months in the wild

• CVSS: 9.1 (critical)
• Attack vector: Malicious PDF + Acrobat Reader
• Patched: April 11, 2026 (out-of-band emergency release)
• Status: Exploited in the wild since at least December 2025

Adobe published an out-of-band patch for Acrobat Reader addressing an arbitrary code execution flaw triggered by specially crafted PDF files. The concerning part: telemetry from several EDR vendors and Volexity suggests this bug has been exploited in targeted attacks since at least December 2025.

Four months of silent weaponization. Someone, probably a state-aligned actor given the targeting patterns (defense contractors, media outlets, specific non-profits), has been using this zero-day to compromise high-value targets via email attachments. The CVE only became public on the April 11 patch release.

Practical impact: if you received and opened any PDF between December 2025 and April 11, 2026 from an untrusted sender (or a sender whose account might be compromised), your machine may have been a target.

Action:

1. Patch Adobe Acrobat Reader and Acrobat to the latest version immediately.
2. Review endpoint telemetry for the last four months for anomalous child processes spawned from Adobe Reader (command-line launch of cmd.exe, powershell.exe, rundll32.exe, etc. with Acrobat as the parent).
3. Consider using a browser-based PDF renderer (Chrome, Edge) instead of desktop Acrobat for untrusted documents going forward. Browser sandboxes are materially stronger than Adobe's.

#Tier 2: Patch within the week

The remaining 164 CVEs in the April update include a mix of:

• 11 elevation of privilege flaws in Windows kernel, Graphics, Cloud Files, and Virtualization components
• 8 remote code execution flaws in various Windows services
• 4 information disclosure bugs
• Multiple Microsoft Office flaws including Excel and Word parsing bugs that trigger on document open
• Edge browser security updates (Chromium synchronized)
• .NET + Visual Studio fixes

None are as urgent as the Tier 1 list. But the Office and Exchange-related RCE patches should be prioritized for any environment that handles external email attachments.

#Tier 3: Fortinet CVE-2026-35616. The bonus emergency

Not technically part of Microsoft's Patch Tuesday. But landing the same week and worth urgent attention: CVE-2026-35616 in Fortinet's FortiClient EMS. CVSS 9.8. Added to CISA's Known Exploited Vulnerabilities catalog. As of this writing a full patch is still pending. Fortinet has released a hotfix and a workaround, and a full release is expected imminently.

FortiClient EMS is the centralized management server for Fortinet's endpoint agent. A successful exploit gives the attacker control of every FortiClient-managed endpoint in the enterprise. If you run FortiClient EMS:

1. Verify you've applied the current hotfix (Fortinet advisory FG-IR-26-112)
2. Restrict access to the FortiClient EMS management interface to a VPN-only allowlist
3. Monitor for the CISA-published IOCs
4. Plan full patch deployment as soon as Fortinet releases

#The 72-hour patching plan

If you're a security lead reading this and trying to figure out where to start, here's the prioritization tree:

Hour 0. Assess exposure

• Inventory: which Windows Server versions, SharePoint installations, Adobe Reader installations, FortiClient EMS instances are in your environment?
• Internet exposure: which of those are reachable from the public internet (directly or via proxy)?
• IPv6 + IPsec: what percentage of your Windows estate has both enabled?
• Emergency contact list: who has patch authority for each asset class?

Hours 0-24

• Patch SharePoint (CVE-2026-32201) on any on-prem instance. This is the most active exploitation right now.
• Patch Adobe Reader (CVE-2026-34621). Enterprise deployment via Adobe Update Server or SCCM/Intune.
• Block Acrobat Reader's child-process spawning at the EDR policy layer as a compensating control during rollout.

Hours 24-48

• Patch Windows TCP/IP (CVE-2026-33827) on all internet-facing Windows servers and domain controllers.
• Patch Microsoft Defender (CVE-2026-33825) on all endpoints.
• Apply FortiClient EMS hotfix, restrict management interface access.

Hours 48-72

• Patch remaining 164 Windows CVEs via normal Patch Tuesday deployment.
• Run compromise assessment on SharePoint environments for any indicators of the past week's exploitation.
• Review email and SharePoint audit logs for anomalous document uploads / workflow triggers during the exposure window (from first public disclosure to your patch completion).

#Compensating controls if you can't patch in 72 hours

Not everyone can patch every server within a week. Regulatory freeze windows, change control boards, production criticality all matter. If you're stuck, these are the compensating controls per CVE:

CVE-2026-32201 SharePoint: require SAML/authenticated access for every SharePoint request at the edge. Block anonymous traffic. Disable SharePoint guest sharing. Monitor SharePoint audit logs aggressively.

CVE-2026-33827 Windows TCP/IP: disable IPv6 on systems that don't need it (this is a significant operational lift. Test carefully). Disable IPsec transport mode where not required. Restrict inbound traffic with host-based firewall.

CVE-2026-34621 Adobe Reader: force all PDF handling through a browser-based renderer (Chrome, Edge). Block Acrobat Reader's ability to spawn child processes via EDR policy. Disable JavaScript in Acrobat settings.

CVE-2026-33825 Defender: monitor for privilege escalation activity via Sysmon + MDE. Given that this requires local code execution first, focus compensating controls on preventing the RCE predecessor (phishing, macro-enabled documents, drive-by downloads).

FortiClient EMS: restrict management interface to VPN-only access, rotate EMS admin credentials, enable strict 2FA on EMS management accounts.

#What this means for your incident response plan

The April Patch Tuesday is a great moment to test your patching velocity. A few questions every CISO and CTO should be answering this week:

1. Can you identify every Windows Server + SharePoint + Adobe Reader install in under one hour? If not, your asset inventory is broken.
2. Can you patch a critical on-prem SharePoint CVE in under 24 hours? If not, your change-management process needs an emergency-change lane.
3. Do you know which of your servers have IPv6 + IPsec enabled? Because if CVE-2026-33827 goes wormable, those are your crown jewels.
4. Is your EDR tuned to detect Acrobat Reader spawning child processes? Simple detection rule. Catches CVE-2026-34621 and similar PDF-based attacks.
5. When Microsoft publishes a Patch Tuesday with an actively-exploited flaw, how long from release to full enterprise deployment? 72 hours is the industry standard. Over a week is a red flag.

#What Valtik can help with

Valtik's vulnerability assessment + penetration testing engagements include a patch-velocity review: how quickly can your organization respond to an in-the-wild-exploitation advisory like this one? We measure against Patch Tuesday benchmarks, produce a gap analysis. And help design the emergency-change process that closes critical CVEs within 72 hours.

If your team is still running "patch when the quarterly maintenance window opens" on internet-facing infrastructure, you're operating on 2015 threat-model assumptions. The current threat model is: critical unauthenticated RCE disclosed Tuesday, weaponized exploit by Friday, ransomware deployment on Sunday. Your patching cadence has to match.

#Sources

1. Microsoft April 2026 Patch Tuesday Fixes 167 Flaws. BleepingComputer
2. The April 2026 Security Update Review. Zero Day Initiative
3. Microsoft Patch Tuesday April 2026. Tenable
4. Microsoft April Patch Tuesday. Security Affairs
5. Microsoft Patch Tuesday April 2026. Cybersecurity News
6. CISA Known Exploited Vulnerabilities Catalog
7. Microsoft April Windows Update. CyberInsider
8. Adobe Reader Zero Day CVE-2026-34621
9. Fortinet FortiClient EMS Zero-Day CVE-2026-35616. CyberScoop
10. Patch Tuesday April 2026 CVE Analysis. Zecurit