April Patch Tuesday: Microsoft Fixes Two Zero-Days—One Under Active Attack (SharePoint Spoofing, Defender EoP)

If your collaboration hub could be tricked into trusting the untrustworthy—and your antivirus could be used as a ladder to SYSTEM—how fast would you patch? That’s the real-world urgency behind Microsoft’s April 2026 Patch Tuesday, which shipped fixes for 167 vulnerabilities, including two zero-days. One is already being exploited in the wild. The other is publicly disclosed, meaning attackers can study and weaponize the details faster than usual. In enterprise networks where SharePoint and Microsoft Defender are foundational, the risk isn’t theoretical—it’s operational.

In this post, we’ll break down what changed, why these two zero-days matter, what an attack chain could look like in practice, and how to move from “informed” to “remediated” with a step-by-step plan you can execute today.

For deeper background, see the original coverage from Malwarebytes: April Patch Tuesday fixes two zero-days, including one under active attack.

What’s new in April 2026 Patch Tuesday

167 total vulnerabilities received fixes across the Microsoft ecosystem.
Two zero-days were addressed:
One is under active exploitation (Microsoft has confirmed in-the-wild abuse).
One is publicly disclosed (details are out, increasing the likelihood of rapid exploitation).

Microsoft defines a zero-day as a vulnerability exploited or disclosed before an official patch exists—making these top-priority issues for every security and IT team. See Microsoft’s Security Update Guide for monthly details: MSRC Security Update Guide.

The two zero-days at a glance

CVE-2026-32201 (CVSS 6.5): Improper input validation in Microsoft Office SharePoint enables network-based spoofing without authentication or user interaction. This can allow attackers to bypass certain controls, stage convincing phishing, and potentially set up lateral movement.
CVE-2026-33825 (CVSS 7.8): Elevation of privilege in the Microsoft Defender anti-malware platform. A local, low-privileged user can escalate to SYSTEM. The vulnerability is publicly disclosed, increasing the odds attackers will attempt to reproduce it. With SYSTEM access, an adversary can disable defenses, persist, harvest credentials, and pivot.

Note: Microsoft indicated that one of these zero-days is being actively exploited and the other is publicly disclosed; the Defender flaw (CVE-2026-33825) is the publicly disclosed one. Treat both as urgent.

Zero-day #1: SharePoint spoofing (CVE-2026-32201)

SharePoint remains the backbone of collaboration for many enterprises. CVE-2026-32201 is an improper input validation issue that enables spoofing at the network level, and crucially, it can be triggered by unauthenticated attackers with no user interaction.

Why this matters

Unauthenticated: Attackers don’t need valid credentials to begin.
No user clicks: Reduces the friction attackers typically face.
Spoofing: Once a system can be spoofed, initial guards may be bypassed, enabling the attacker to build a more believable foothold (e.g., forged pages, tricked services, manipulated links).
Enterprise crown jewels: SharePoint often hosts sensitive files and serves as a launchpad for workflows. Breach pathways from SharePoint can lead to broad exposure.

Potential attack outcomes

Security control bypass: If trust or identity assumptions can be spoofed, other defenses may be weakened.
Phishing or lure staging: Host convincing content or links inside your SharePoint environment to harvest credentials.
Lateral movement: Abuse trust boundaries to explore internal systems or target privileged apps and services.
Data exposure: Sensitive document libraries, lists, and internal app data become attractive targets.

Who is most at risk?

Organizations running SharePoint Server (on-premises) that have not yet applied April’s patches.
Hybrid environments with legacy configurations or exposed endpoints.
Tenants with broad external sharing, weak authentication policies, or less segmentation around collaboration services.

Important nuance: SharePoint Online is serviced by Microsoft; on-premises farms require your action. Even if you’re cloud-first, monitor for spoofing attempts and anomalies in access patterns.

Zero-day #2: Microsoft Defender elevation of privilege (CVE-2026-33825)

Security tools make prime targets because controlling the defender often means controlling the battlefield. CVE-2026-33825 allows a local attacker with minimal privileges to escalate to SYSTEM on Windows devices by abusing the Microsoft Defender anti-malware platform. It’s publicly disclosed, which raises the likelihood that proof-of-concept code, tutorials, or copycat exploits emerge quickly.

Why this matters

SYSTEM-level control: Full control over the host, including the ability to disable or tamper with security products.
Defense evasion: Attackers can suppress alerts, stop services, or alter configurations.
Persistence and credential theft: SYSTEM access enables installation of rootkits, credential dumping from LSASS, and stealthy lateral movement.
Rapid weaponization: Public disclosure means more eyes, faster exploit development.

Realistic attacker steps if exploited

Gain local code execution with a low-privilege context (phishing, macro abuse, vulnerable driver, or unpatched app).
Trigger the Defender EoP to escalate to SYSTEM.
Disable or hinder protections (tamper with Defender, EDR, firewall).
Dump credentials, move laterally, deploy ransomware or data exfiltration tooling.

Why these two zero-days are especially dangerous together

Individually, each zero-day is serious. Together, they describe a plausible attack chain:

Initial access via SharePoint spoofing to stage a convincing lure or pivot into internal resources.
Local code execution on a targeted workstation or server.
Privilege escalation via the Defender EoP to SYSTEM.
Disable defenses, harvest credentials, move laterally to domain controllers, databases, or critical line-of-business apps.

This chain blends social engineering, identity subversion, and endpoint compromise in a way that many traditional defenses struggle to fully block—especially if patching is lagging.

What to do now: a prioritized action plan

Speed matters. Aim to remediate these zero-days within 24–72 hours, and prioritize internet-facing systems, high-value assets, and endpoints with elevated business impact.

1) Patch immediately

Apply April 2026 Patch Tuesday updates across Windows clients and servers.
Patch SharePoint Server installations. Plan maintenance windows, ensure farm backups, and run configuration wizards post-update.
Ensure Microsoft Defender’s antimalware platform is up to date.

Helpful resources: – Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/ – Update SharePoint Servers: https://learn.microsoft.com/sharepoint/upgrade-and-update/update-sharepoint-servers – Microsoft Defender updates overview: https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates?view=o365-worldwide

2) Confirm patch coverage and Defender health

Use your patch management system (Intune, WSUS, ConfigMgr) to validate compliance.
Verify Defender’s antimalware client/platform version and signatures.

Quick checks on Windows: – PowerShell: Get-MpComputerStatus | Select AMProductVersion, AntivirusSignatureVersion, NISEngineVersion – Service status: Get-Service WinDefend

For broader background on Defender PowerShell, see: Get-MpComputerStatus

3) Harden SharePoint while you patch

Enforce MFA and conditional access for all SharePoint access (especially admins and external users).
Limit external sharing; prefer organization-only sharing by default.
Review and minimize high-privilege app permissions in SharePoint and Azure AD.
Segment SharePoint servers from critical infrastructure; restrict lateral movement paths.
Monitor SharePoint ULS logs and admin audit logs for anomalous access or configuration changes.

If you’re on SharePoint Online, Microsoft patches the service, but you should still: – Monitor for unusual file sharing, anonymous/guest link creation, and sudden permission changes. – Review recent activity in Microsoft 365 security portals and audit logs.

4) Fortify Defender and endpoint controls

Ensure Tamper Protection is enabled tenant-wide in Microsoft Defender for Endpoint to block unauthorized changes to security settings:
Prevent changes with Tamper Protection
Enforce attack surface reduction rules, controlled folder access, and application control where possible.
Validate EDR is in block mode and that sensor telemetry is flowing to your SIEM/SOAR.

5) Turn on heightened monitoring

Focus on early signs of spoofing and defense evasion: – SharePoint indicators: – Unexpected spikes in failed logins or anonymous access attempts. – New or altered site collections or permission groups created outside change windows. – Unusual app registrations or OAuth consent grants tied to SharePoint-integrated apps. – Defender and endpoint indicators: – Attempts to disable AV/EDR, firewall, or security services. – Creation of suspicious scheduled tasks, services, or driver loads following patch deployment. – Unusual use of Defender’s command-line utilities (e.g., MpCmdRun.exe) by non-admin processes.

Consider temporarily increasing alert sensitivity and enabling additional audit logging while these zero-days are hot.

6) Validate backups and isolation procedures

Confirm you have recent, tested backups of SharePoint content databases and critical endpoints/servers.
Rehearse rapid isolation steps for compromised endpoints and SharePoint servers.
Ensure your incident response runbooks include specific steps for Defender tampering and SharePoint abuse.

7) Communicate and train

Inform executives and business owners about the zero-days and your remediation timeline.
Remind employees to report suspicious SharePoint prompts, unexpected file-sharing requests, or consent prompts.
Reinforce the “pause and verify” rule on internal links that request credentials or permissions.

How to verify patches and updates are truly applied

A “patched” status in a dashboard isn’t the end of the story—spot check on the ground.

Windows and Defender validation

Windows Update history: Settings > Windows Update > Update history
Defender Health:
Open Windows Security > Virus & threat protection > Security intelligence updates.
PowerShell: Get-MpComputerStatus | Select AMProductVersion, AntispywareSignatureVersion, AntivirusSignatureVersion
Confirm Tamper Protection is On in Windows Security (and via policy for enterprises).

SharePoint Server validation

After installing updates, run the SharePoint Products Configuration Wizard (or psconfig) on each server:
psconfig.exe -cmd upgrade -inplace b2b -wait -force
Confirm farm build version:
Use SharePoint Management Shell: (Get-SPFarm).BuildVersion
In Central Administration, check “Check product and patch installation status” to confirm all servers are at the expected build and no components are missing.

Fleet-wide compliance

Intune/ConfigMgr/WSUS: Ensure compliance reports reflect all required KBs installed.
Sample approach:
Create dynamic device groups for high-risk systems (e.g., servers with SharePoint roles, internet-facing servers).
Apply expedited quality updates where supported.
Reboot scheduling: Ensure mandated reboots actually occur; many mitigations are only active after reboot.

Threat detection ideas while the dust settles

You don’t need to wait for an alert to start hunting. While specifics vary per environment, consider the following broad hunting themes:

Defender tampering or service disruption:
Monitor Windows event logs for real-time protection disabled events and service state changes for WinDefend.
Look for repeated attempts to modify registry keys or policies tied to Defender configuration.
Suspicious use of Defender tooling:
Unusual execution of MpCmdRun.exe from non-admin processes or at odd hours.
SharePoint anomalies:
Surges in access from atypical IP ranges or geographies.
New anonymous links or guest sharing events outside business norms.
Unexpected app consent grants to high-permission APIs.

Also keep an eye on lists like CISA’s Known Exploited Vulnerabilities (KEV) Catalog to see if these CVEs are added, which can influence SLAs and compliance requirements:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Risk mitigations beyond patching

Patching is table stakes—but layered defense reduces blast radius if something slips through.

Least privilege and JIT access:
Remove local admin wherever feasible.
Use just-in-time (JIT) elevation for admin tasks with time-bound approvals.
Network segmentation:
Isolate SharePoint servers and backends (SQL) from broader network access.
Limit lateral movement via ACLs and firewalls; restrict SMB and RDP exposure.
Identity security:
Enforce MFA universally.
Use conditional access with risk-based policies.
Monitor for impossible travel and unusual OAuth consent.
Application control:
Enable Windows Defender Application Control (WDAC) or AppLocker in audit/block for high-value assets.
Data protection:
Tag and protect sensitive content in SharePoint with information protection labels where appropriate.
Limit external sharing by default; require business justification for exceptions.
Behavioral analytics:
Baseline normal SharePoint and Defender behavior; alert on deviations.
Use UEBA capabilities in your SIEM/Defender for Endpoint to spot insider threats or compromised identities.

Communicating risk and timelines to stakeholders

Translate “two zero-days patched” into business impact and timelines: – Impact: Risk of credential theft, data exposure, downtime, and compliance penalties. – Urgency: One zero-day is actively exploited, and the other is publicly disclosed; attackers may weaponize quickly. – Timeline: Patch priority assets within 24–48 hours; full estate within 7 days. Validate coverage with spot checks. – Residual risk: Even patched, monitor for attempts; raise alerting thresholds for the next 2–4 weeks.

Provide leaders with a one-page memo that includes: – What changed (high-level summary) – Systems affected (SharePoint, Windows endpoints/servers with Defender) – Actions taken (patching, monitoring, mitigations) – Remaining work (stragglers, third-party dependencies) – Business impact if delayed (quantified where possible)

FAQs

Q1: What is Patch Tuesday and why does it matter?
A: Patch Tuesday is Microsoft’s monthly release of security updates, typically on the second Tuesday of each month. It matters because attackers rapidly reverse-engineer these patches to create exploits. Applying updates quickly closes widely known holes before they’re abused at scale. See the Microsoft guide: https://msrc.microsoft.com/update-guide/

Q2: What exactly is a zero-day?
A: A zero-day is a vulnerability that’s exploited or disclosed before a patch is available. That “zero” represents zero days of lead time for defenders. They’re prioritized because exploitation can escalate quickly across the internet and enterprise networks.

Q3: Which zero-day is publicly disclosed?
A: The elevation of privilege in Microsoft Defender’s anti-malware platform, CVE-2026-33825 (CVSS 7.8), is publicly disclosed. Public disclosure increases the chance of rapid exploit development. Treat this as a high-priority patch for all Windows endpoints and servers running Defender.

Q4: Are SharePoint Online customers affected by CVE-2026-32201?
A: Microsoft services like SharePoint Online are patched by Microsoft. While that reduces your operational burden, you should still monitor for spoofing attempts, unusual access patterns, and external sharing anomalies. If you run SharePoint Server (on-premises), you must patch your farm(s) and run configuration steps.

Q5: How can I confirm Microsoft Defender is fully updated?
A: On any endpoint, run PowerShell:
– Get-MpComputerStatus | Select AMProductVersion, AntivirusSignatureVersion
Ensure Tamper Protection is enabled, and verify that the antimalware platform and signatures are current. Review policy and compliance in Microsoft 365 Defender portals.

Q6: We can’t patch everything in 24 hours—what’s the best triage approach?
A: Prioritize: – Internet-facing systems and high-value assets. – SharePoint servers and content databases. – Tier-0/1 infrastructure (AD, identity providers, management servers). – High-risk user groups (admins, finance, execs).
Apply compensating controls (MFA enforcement, increased logging, EDR block mode) while you roll out patches in waves.

Q7: What does the CVSS score tell me here?
A: CVSS offers a standardized way to gauge severity, but it doesn’t reflect your environment’s unique exposure. CVE-2026-33825 (7.8) is severe due to privilege escalation to SYSTEM. CVE-2026-32201 (6.5) is notable for unauthenticated spoofing, which can be highly dangerous in the right chain. Use CVSS as a baseline and add context from your architecture. Learn more at: https://www.first.org/cvss/

Q8: Will EDR/AV stop these attacks automatically?
A: Modern EDR helps, but zero-days often bypass or reduce the effectiveness of preventative layers—especially when the EDR/AV platform itself is targeted. Defense-in-depth is essential: patch fast, harden configurations, monitor aggressively, and prepare to respond.

Q9: What should incident response focus on if exploitation is suspected?
A: Move fast on containment: – Isolate affected endpoints/servers. – Preserve volatile evidence (memory, event logs). – Look for signs of defense tampering and credential theft. – Sweep for lateral movement and persistence mechanisms. – Reset credentials (especially for privileged accounts) and rotate secrets where necessary.

The bottom line

April’s Patch Tuesday underscores a hard truth: attackers keep targeting the tools we trust most—our collaboration platforms and our defenses. With 167 vulnerabilities fixed and two zero-days in the mix (one under active attack and one publicly disclosed), speed is non-negotiable. Patch SharePoint and Windows endpoints now, verify Microsoft Defender’s platform is current, enable Tamper Protection, and turn up monitoring for anomalies around SharePoint access and Defender tampering.

The clear takeaway: zero-day risk compounds when defenders delay. Act within 24–72 hours, validate coverage, and keep watch. A disciplined, proactive vulnerability management program—paired with identity safeguards, segmentation, and behavioral analytics—will put you on the right side of the next headline.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

April Patch Tuesday: Microsoft Fixes Two Zero-Days—One Under Active Attack (SharePoint Spoofing, Defender EoP)