April Patch Tuesday brings zero-days in Defender, SharePoint Server

The latest monthly Patch Tuesday update from Microsoft landed earlier on 14 April, including two notable zero-day flaws amid a total of over 160 distinct issues, and almost 250 accounting for third-party and Chromium releases.

Described as “monstrous” in its scope by Dustin Childs of TrendAI’s (formerly Trend Micro’s) Zero Day Initiative, this may be among the largest Patch Tuesday updates in history. Childs suggested that based on his own experience, this may be the result in a growing number of submissions uncovered by artificial intelligence (AI) tools.

Jack Bicer, vulnerability research director at Action1, said: “The elevated number of patches, combined with the presence of zero-days and multiple critical issues, makes this a release that should be prioritised for immediate attention.”

The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server, that is known to have been exploited in the wild, but not yet made public. The root cause of the issue is supposedly an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.

Although the first of these carries a comparatively low Common Vulnerability Scoring System (CVSS) score of 6.5, Mat Lee, senior security engineer at Automox, said this understated the risk to users because it needs no authentication or special privileges.

“External threats can target internet-facing SharePoint instances directly. On-premises SharePoint servers exposed to the internet carry the highest risk. SharePoint often connects to back-end storage, directory services, and internal collaboration tools. A successful XSS exploit gives attackers a path deeper into your environment,” said Lee.

In one potential attack scenario, malicious JavaScript could be made to execute in the browser of a user visiting a compromised SharePoint page, which could enable the attacker to steal session cookies or authentication tokens to take over their accounts. Meanwhile, the XSS foothold opens up the possibility of phishing redirects or even malicious payloads, such as ransomware, making CVE-2026-32201 useful in a broader campaign.

Lee said security teams should be alert to unexpected script execution or iframe injection on externally accessible SharePoint pages, session token reuse or unexpected authentication events from unknown IP addresses, and users complaining of unexpected redirects or login prompts when visiting SharePoint pages.

Beyond patching immediately, security teams should audit their SharePoint exposure, prioritising on-prem instances that can be got at from the public internet, review content security policy (CSP) headers on SharePoint instances, and monitor authentication logs for strange behaviour.

The second zero-day, CVE-2026-33825, is an elevation of privilege (EoP) flaw  in Microsoft Defender – this has been made public, but is not yet thought to have been exploited.

Action1’s Bicer explained that this flaw stems from “insufficient granularity” in access control, turning what should be limited access into total control. “What starts as a foothold can quickly become full system domination,” he said.

Bicer continued: “The flaw allows a local attacker with low privileges to exploit improper permission enforcement mechanisms. By leveraging this weakness, the attacker can execute code or actions with elevated privileges, ultimately achieving SYSTEM-level access. This type of vulnerability is particularly dangerous because it can be chained with other exploits to expand initial access into full system compromise.”

As such, he explained, CVE-2026-33825 is an increased risk in any environment in which an attacker has already established themselves. Successfully exploited, it can allow attackers to take full control of an organisation’s endpoints, enabling them to steal data, turn off security tools, and hop across networks to juicier targets.

“Even environments with strong perimeter defenses are at risk if internal systems are compromised,” said Bicer.

“Proof-of-concept [PoC] exploit code is available, and the vulnerability has been publicly disclosed. While no active exploitation has been confirmed, the presence of PoC code increases the likelihood of real-world attacks.”