By Tyler Reguly, Associate Director, Security R&D, Fortra
With 165 Microsoft CVEs and another 82 non-Microsoft CVEs combining for a total of 247 CVEs, I can’t help but wonder who angered Microsoft this month. Here’s hoping that admins everywhere are well hydrated with snacks available because I feel like this mess will take a few days to fully detangle.
There are two vulnerabilities that Microsoft has called out as either exploited or disclosed. The first, CVE-2026-32201, is a spoofing vulnerability in Microsoft SharePoint that is seeing active exploitation. SharePoint can definitely be one of the harder systems to patch and maintain, so admins are going to want to pay close attention to this one. The second is CVE-2026-33825, an elevation of privilege vulnerability in Microsoft Defender, which Microsoft has listed as publicly disclosed. This appears to be the BlueHammer vulnerability that everyone was talking about, which Fortra has written about in detail.
Two things caught my attention this month.
The first is that there are 19 vulnerabilities listed as Exploitation More Likely. In the first quarter of the year, we saw 20 vulnerabilities listed as Exploitation More Likely and now, in a single month, we’re seeing only one less than that total. That is something to pay attention to, especially given the nature of the services affected.
The second is a pair of TCP/IP vulnerabilities. It is rare that you see a truly remote TCP/IP vulnerability these days and that’s exactly what CVE-2026-33827 is… unauthorized, network-based code execution against IPv6. The attack complexity is listed as high because the vulnerability is based on a race condition as well as “additional actions”, as Microsoft calls it, but it is still impressive to see these vulnerabilities identified in 2026.
Based on acknowledgements, the team that found the TCP/IP vulnerability, WARP & MORSE team at Microsoft, also found this month’s only CVSS 9.8 vulnerability. Microsoft has labeled it as Exploitation Less Likely, but it is the infamous network remote code execution vulnerability. In this case, Internet Key Exchange (IKE) v2 is impacted and a remote attacker could trigger remote code execution. Importantly here, we’re not talking about the fake remote code execution that Microsoft uses for Office documents and similar, we’re talking about a legitimate, over the network remote code execution.
For CISOs this month, I’d be more worried about the sheer quantity of items that admins are having to review. There are a lot of CVEs and a lot of one-offs that we don’t normally see. While Windows update and automatic updates for some applications will take care of a lot of the heavy lifting here, there’s still testing that is required before deploying updates this large. Additionally, with the likes of .NET, SharePoint, and SQL Server, there’s always the potential for difficult patches and/or version incompatibility that may crop up during testing.
Patience is going to be a keyword this month, followed very quickly by resourcing. Massive patch drops like this and the conversation around next-gen LLMs means that we need to be aware of the pressure on our teams and the amount of work they are expected to complete. If you still see your security teams as a cost centre, it is time to start rethinking that and looking at the value they bring to protecting your data and your systems. Large patch drops mean that you really need to review your teams to ensure they are adequately resourced.
Like this:
Like Loading...
Related
This entry was posted on April 14, 2026 at 3:27 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
April Patch Tuesday Commentary From Fortra
By Tyler Reguly, Associate Director, Security R&D, Fortra
With 165 Microsoft CVEs and another 82 non-Microsoft CVEs combining for a total of 247 CVEs, I can’t help but wonder who angered Microsoft this month. Here’s hoping that admins everywhere are well hydrated with snacks available because I feel like this mess will take a few days to fully detangle.
There are two vulnerabilities that Microsoft has called out as either exploited or disclosed. The first, CVE-2026-32201, is a spoofing vulnerability in Microsoft SharePoint that is seeing active exploitation. SharePoint can definitely be one of the harder systems to patch and maintain, so admins are going to want to pay close attention to this one. The second is CVE-2026-33825, an elevation of privilege vulnerability in Microsoft Defender, which Microsoft has listed as publicly disclosed. This appears to be the BlueHammer vulnerability that everyone was talking about, which Fortra has written about in detail.
Two things caught my attention this month.
The first is that there are 19 vulnerabilities listed as Exploitation More Likely. In the first quarter of the year, we saw 20 vulnerabilities listed as Exploitation More Likely and now, in a single month, we’re seeing only one less than that total. That is something to pay attention to, especially given the nature of the services affected.
The second is a pair of TCP/IP vulnerabilities. It is rare that you see a truly remote TCP/IP vulnerability these days and that’s exactly what CVE-2026-33827 is… unauthorized, network-based code execution against IPv6. The attack complexity is listed as high because the vulnerability is based on a race condition as well as “additional actions”, as Microsoft calls it, but it is still impressive to see these vulnerabilities identified in 2026.
Based on acknowledgements, the team that found the TCP/IP vulnerability, WARP & MORSE team at Microsoft, also found this month’s only CVSS 9.8 vulnerability. Microsoft has labeled it as Exploitation Less Likely, but it is the infamous network remote code execution vulnerability. In this case, Internet Key Exchange (IKE) v2 is impacted and a remote attacker could trigger remote code execution. Importantly here, we’re not talking about the fake remote code execution that Microsoft uses for Office documents and similar, we’re talking about a legitimate, over the network remote code execution.
For CISOs this month, I’d be more worried about the sheer quantity of items that admins are having to review. There are a lot of CVEs and a lot of one-offs that we don’t normally see. While Windows update and automatic updates for some applications will take care of a lot of the heavy lifting here, there’s still testing that is required before deploying updates this large. Additionally, with the likes of .NET, SharePoint, and SQL Server, there’s always the potential for difficult patches and/or version incompatibility that may crop up during testing.
Patience is going to be a keyword this month, followed very quickly by resourcing. Massive patch drops like this and the conversation around next-gen LLMs means that we need to be aware of the pressure on our teams and the amount of work they are expected to complete. If you still see your security teams as a cost centre, it is time to start rethinking that and looking at the value they bring to protecting your data and your systems. Large patch drops mean that you really need to review your teams to ensure they are adequately resourced.
Share this:
Like this:
Related
This entry was posted on April 14, 2026 at 3:27 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.