Microsoft's April 2026 Patch Tuesday is the company's largest single-month patch release in recent memory, dropping fixes for 169 security vulnerabilities across its product portfolio. The update includes a patch for a SharePoint zero-day that has been actively exploited in the wild, 8 Critical-severity flaws, and a broad sweep of remote code execution vulnerabilities spanning Windows, Office, Azure, and developer tooling.
Zero-Day: SharePoint Remote Code Execution
The actively exploited vulnerability is a remote code execution flaw in Microsoft SharePoint Server, assigned a Critical severity rating. Threat actors have been leveraging the flaw in targeted attacks prior to the patch release.
Microsoft has not disclosed the specific CVE identifier in this summary, but confirmed the following:
- Attack vector: Network-accessible SharePoint sites (no authentication required in some configurations)
- Impact: Full remote code execution with SharePoint service account privileges
- Active exploitation: Confirmed, limited targeted attacks
- Affected versions: SharePoint Server 2016, 2019, and SharePoint in Microsoft 365 (hybrid configurations)
CISA has added the SharePoint zero-day to the Known Exploited Vulnerabilities catalog and requires federal agencies to apply the patch within 21 days.
Patch Summary by Severity
| Severity | Count | Notable Products |
|---|---|---|
| Critical | 8 | SharePoint, Windows Hyper-V, Remote Desktop Services, Azure |
| Important | 157 | Windows, Office, Edge, .NET, SQL Server, Exchange |
| Moderate | 3 | Microsoft Teams, Bing, OneDrive |
| Low | 1 | Windows Defender |
Critical Vulnerabilities Highlighted
Windows Hyper-V (Remote Code Execution)
A critical Hyper-V hypervisor flaw allows a malicious guest VM to escape the hypervisor and execute code on the host. This is particularly significant for cloud and virtualization environments.
Remote Desktop Services (RCE)
Two Critical RDS vulnerabilities allow unauthenticated code execution over RDP — attackers with network access to port 3389 can compromise systems without any user interaction or credentials.
Azure API Management (Privilege Escalation)
A Critical elevation of privilege flaw in Azure API Management enables an attacker with low-privilege API access to escalate to management-plane control, potentially accessing all APIs and backend integrations.
Microsoft Office (Multiple RCE)
Three Important-rated Office RCE vulnerabilities affect Word, Excel, and PowerPoint via malformed file parsing. These are expected to be weaponized in phishing campaigns as proof-of-concept code circulates.
Notable Important-Severity Issues
- Windows DNS Server RCE — exploitable via crafted DNS responses on internal networks
- SQL Server privilege escalation — allows db_reader to escalate to sysadmin in specific configurations
- Exchange Server spoofing — enables forging of internal email sender addresses, bypassing EOP checks
- Windows Kernel EoP — local privilege escalation via the NT kernel, useful in post-exploitation chains
- .NET deserialization RCE — affects applications using
BinaryFormatter(now flagged in security advisories)
Patch Prioritization Guidance
Given the volume of patches, security teams should prioritize in this order:
Deploy within 24 hours:
- SharePoint Server zero-day (actively exploited)
- Remote Desktop Services Critical RCE (wormable potential)
- Hyper-V guest escape (virtualization infrastructure)
Deploy within 7 days: 4. Azure API Management privilege escalation 5. Exchange Server spoofing fix 6. Windows DNS Server RCE
Deploy within 30 days: 7. Remaining Important-rated Office, Windows, and .NET patches
Windows Update & SharePoint Patching
For SharePoint administrators, note that the SharePoint patch is not delivered via Windows Update for on-premises installations. It must be manually downloaded from the Microsoft Update Catalog and applied via the SharePoint Products Configuration Wizard.
# SharePoint 2019: verify patch level after update
(Get-SPFarm).BuildVersion
# Should show 16.0.x.xxxx for April 2026 CUSharePoint Online (Microsoft 365) instances are patched automatically by Microsoft — no admin action required.
Context: Record Patch Volume
The 169-vulnerability count surpasses Microsoft's previous record of 149 (set in December 2024). Security researchers attribute the increase to:
- Expanded scope of Microsoft's bug bounty program
- Increased internal red-team investment via the Microsoft Security Response Center
- Broader AI-assisted code analysis surfacing latent vulnerabilities
- Integration of additional Azure and developer tool components into the Patch Tuesday scope
Regardless of the cause, the volume represents a significant operational burden for enterprise patch management teams. Organizations using automated patching tools (SCCM, Intune, WSUS) should verify deployment rings are configured for timely rollout given the critical nature of this month's release.