Microsoft released software updates on Tuesday to patch 167 security vulnerabilities across Windows operating systems and related software. The update includes fixes for a SharePoint Server zero-day and a Windows Defender weakness known as 'BlueHammer.'
Redmond is currently warning that attackers are targeting CVE-2026-32201, a SharePoint Server vulnerability that allows for the spoofing of trusted content over a network. According to Krebs on Security, the flaw is already being actively exploited.
Mike Walters, president and co-founder of Action1, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments. “This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases organizational risk.”
Ryan Braunstein, manager of Security and IT at Automox, noted that the patch also addresses a SQL Server remote code execution vulnerability, CVE-2026-33120. “One bug allows an attacker to get into your SQL instance from the network,” Braunstein said. “The other lets someone already inside promote themselves to full control.”
Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. BleepingComputer reported that a researcher published exploit code for the flaw after growing frustrated with Microsoft's response. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public BlueHammer exploit code no longer works after installing today’s patches.
New RDP protections
As part of the April 2026 cumulative updates for Windows 10 and 11, Microsoft introduced new protections against malicious Remote Desktop (.rdp) files. These files are often used by admins to redirect local resources to remote hosts, but threat actors frequently abuse this to steal data.
BleepingComputer reported that the Russian state-sponsored group APT29 has previously used rogue RDP files to steal credentials and data. When opened, these files can redirect local drives, capture clipboard data, or intercept authentication mechanisms like Windows Hello.
Microsoft stated, "Malicious actors misuse this capability by sending RDP files through phishing emails. When a victim opens the file, their device silently connects to a server controlled by the attacker and shares local resources, giving the attacker access to files, credentials, and more."
After the update, users opening an RDP file for the first time will see a one-time educational prompt. Future attempts to open these files will trigger a security dialog that lists all local resource redirections, with every option disabled by default. If a file is not digitally signed, Windows will display a 'Caution: Unknown remote connection' warning.
