Microsoft released a massive wave of security updates on Tuesday, patching 167 vulnerabilities across its software ecosystem. The update includes two zero-day flaws that were already being targeted by attackers or had been publicly disclosed.
According to BleepingComputer, the April 2/026 Patch Tuesday addresses eight critical vulnerabilities. Seven of these flaws allow for remote code execution, while one enables a denial of service attack.
The breakdown of the 167 flaws includes 93 elevation of privilege vulnerabilities, 21 information disclosure bugs, 20 remote code execution vulnerabilities, and 13 security feature bypasses. The company also patched 10 denial of service vulnerabilities and 9 spoofing flaws.
SharePoint and Office under threat
One of the most pressing issues involves a zero-day vulnerability in Microsoft SharePoint Server, identified as CVE-2026-32201. This flaw is currently being actively exploited in the wild.
"Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network," Microsoft stated in its advisory. The company noted that an attacker could view sensitive information or change disclosed data, though they could not limit resource availability.
Microsoft has not yet revealed the identity of the attackers or the specific methods used in these exploits.
Another zero-day, CVE-2026-33825, involves a privilege elevation flaw in Microsoft Defender. This vulnerability allows an attacker to gain SYSTEM privileges. Microsoft has released an update for the Microsoft Defender Antimalware Platform, version 4.18.26050.3011, to resolve this issue.
Security researchers Zen Dodd and Yuanpei Xu of HUST discovered the Defender flaw via the Diffract tool. Users can manually trigger the fix through the Windows Security interface under protection updates.
Beyond SharePoint and Defender, the update patches several remote code execution bugs in Microsoft Office, specifically affecting Word and Excel. These flaws can be triggered through the preview pane or by opening malicious attachments. BleepingComputer advises users to prioritize these Office updates immediately.
Other major tech vendors also released security patches this month. Adobe updated several of its creative suite applications, including Acrobat and Photoshop, to fix an actively exploited zero-day in Reader. Meanwhile, Apache addressed a remote code execution vulnerability in ActiveMQ Classic that had remained undetected for 13 years.
