Microsoft today released a massive security update addressing 167 vulnerabilities across Windows and related software, including an actively exploited SharePoint Server zero-day and a publicly disclosed privilege escalation bug in Windows Defender. The update marks the second-largest Patch Tuesday in Microsoft's history, according to Tenable's Satnam Narang, and includes nearly 60 browser-related flaws. Users are urged to apply patches immediately and restart browsers after installation.
SharePoint Zero-Day Under Active Attack
Among the most critical fixes is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server that attackers are already exploiting in the wild. The flaw allows malicious actors to present falsified content within trusted SharePoint environments, enabling phishing and social engineering campaigns. Mike Walters, president of Action1, warned that the vulnerability "can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments." He added that "the presence of active exploitation significantly increases organizational risk."
Windows Defender 'BlueHammer' Bug Publicly Disclosed
Microsoft also patched CVE-2026-33825, known as BlueHammer, a privilege escalation vulnerability in Windows Defender. The flaw was publicly disclosed after the researcher grew frustrated with Microsoft's response, and exploit code was published online. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public exploit code no longer works after installing today's patches. However, organizations that have not yet updated remain exposed.
Emergency Adobe Reader Patch and Chrome Zero-Day
In addition to Microsoft's updates, Adobe issued an emergency fix on April 11 for CVE-2026-34621, a critical remote code execution flaw in Adobe Reader that has been actively exploited since at least November 2025. Google Chrome also patched its fourth zero-day of 2026, though details remain limited. Satnam Narang of Tenable emphasized that the Adobe flaw underscores the persistent threat of legacy document formats. "Attackers are increasingly targeting these platforms because they remain widely used," he said.
Background
April's Patch Tuesday total of 167 vulnerabilities is the second largest ever, according to Tenable. The count includes nearly 60 browser-related flaws, largely in Microsoft Edge and the underlying Chromium engine. Adam Barnett of Rapid7 called it "a new record in that category" and noted that the spike may coincide with the announcement of Anthropic's Project Glasswing, an AI tool reportedly adept at finding software bugs. While he cautioned against direct causation, Barnett stated, "A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities." He added, "We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further."
What This Means
For IT teams, the sheer volume of patches demands immediate prioritization. The actively exploited SharePoint flaw should be addressed first, followed by the Windows Defender bug and Adobe Reader update. Regardless of browser used, completely close and restart the browser after applying updates to activate fixes. Satnam Narang advised that organizations should assume compromise if they have not patched the SharePoint zero-day: "Given active exploitation, every unpatched system is a potential entry point for attackers." The trend of AI-assisted vulnerability discovery means patch volumes will likely continue climbing. Security teams must invest in automation and prioritize patches based on exploitation status and business risk.
This is a breaking news story. More details will be added as they become available.