Microsoft Just Dropped 168 Patches Including an Actively Exploited SharePoint Zero-Day

Microsoft’s April 2026 Patch Tuesday is one of the largest in years: 168 vulnerabilities patched, 8 rated critical, and one actively exploited SharePoint zero-day that CISA has already added to its Known Exploited Vulnerabilities catalog. If your business runs SharePoint, Microsoft 365, or on-premises Windows servers, this patch cycle demands immediate attention.

The actively exploited vulnerability, CVE-2026-32201, is a SharePoint spoofing flaw that attackers are using right now. CISA set a federal remediation deadline of April 28, 2026, which signals how seriously the government is taking this one. Seven of the eight critical flaws are remote code execution vulnerabilities affecting Office, Active Directory, and Remote Desktop, meaning an attacker who exploits them can run arbitrary code on your systems without physical access.

CVE-2026-32201: The SharePoint Zero-Day

CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server. Attackers can exploit it to impersonate legitimate users or services, gaining unauthorized access to SharePoint resources and the sensitive documents stored there. Fortinet and several threat intelligence firms have confirmed active exploitation in the wild.

SharePoint is a particularly high-value target for SMBs because it often serves as a central document repository, intranet, and collaboration platform. A compromised SharePoint instance can expose contracts, financial records, HR documents, intellectual property, and client data all at once.

If your organization uses SharePoint Server (on-premises), confirm that the April cumulative update has been applied. SharePoint Online customers in Microsoft 365 receive updates automatically, but on-prem deployments require manual intervention or a managed patching program. Don’t assume your cloud subscription covers your on-premises servers.

What Else Is in the April Patch Cycle

Beyond the SharePoint zero-day, the scale of this month’s release is significant. Here is a breakdown of the 168 patches by impact:

• 8 Critical vulnerabilities, 7 of which are remote code execution flaws affecting Microsoft Office (Word, Excel, PowerPoint), Active Directory Certificate Services, Windows TCP/IP, and Remote Desktop Gateway
• 93 Elevation of Privilege vulnerabilities, which allow attackers who already have a foothold to escalate to administrator-level access
• Dozens of information disclosure, denial of service, and spoofing flaws across Windows Defender, Hyper-V, and networking components

The Office vulnerabilities are particularly concerning for SMBs. Remote code execution in Word, Excel, and PowerPoint means a malicious document sent via email can compromise a workstation the moment someone opens it. Combined with the 93 elevation-of-privilege flaws, an attacker who lands on a single endpoint through a poisoned attachment can potentially escalate to domain administrator.

Active Directory Certificate Services (AD CS) vulnerabilities are also worth flagging. AD CS is the infrastructure that issues digital certificates for authentication, encryption, and code signing across your Windows environment. A compromise here can undermine trust across your entire network. If you run AD CS, prioritize this patch alongside the SharePoint fix.

Why SMBs Get Hit Hardest by Patch Cycles Like This

Large enterprises have dedicated patch management teams, staging environments, and automated deployment tools that can absorb a 168-patch release without missing a beat. Most small and mid-sized businesses do not.

The typical SMB pattern looks like this: patches are acknowledged but deferred because someone is worried about compatibility, testing never happens because there is no staging environment, and weeks pass while the vulnerabilities sit open. According to the Ponemon Institute, the average time to patch a critical vulnerability at an SMB is 102 days. Attackers typically begin exploiting newly disclosed critical flaws within 48 hours of patch release.

That gap between 48 hours and 102 days is where breaches happen. The April patch cycle, with its actively exploited zero-day and 7 additional critical RCE flaws, makes that gap especially dangerous.

The compounding problem is that patch cycles do not pause. May’s Patch Tuesday will add another round of fixes on top of any April patches that were deferred. Without a systematic approach, the backlog grows every month, and so does the attack surface.

What Your Business Should Do This Week

This is a practical checklist your IT team (or your managed IT provider) should work through before the end of the week.

1. Verify SharePoint patch status. If you run SharePoint Server on-premises, confirm that the April 2026 cumulative update has been installed. Check the SharePoint Central Administration site or run Get-SPFarm | Select BuildVersion in PowerShell to verify the build number against Microsoft’s release notes.

2. Check Microsoft 365 update compliance. Log into the Microsoft 365 admin center and review update compliance across your tenant. Confirm that Office applications (Word, Excel, PowerPoint, Outlook) are running the latest version. Pay special attention to any devices showing as non-compliant or running deferred update channels.

3. Patch Windows servers and workstations. Use Windows Server Update Services (WSUS), Microsoft Intune, or your RMM platform to push the April cumulative updates to all Windows endpoints. Prioritize servers running Active Directory, AD CS, Remote Desktop Gateway, and any internet-facing roles.

4. Don’t forget third-party applications. Microsoft patches cover Microsoft products, but attackers commonly exploit outdated browsers (Chrome, Firefox, Edge), PDF readers (Adobe Acrobat), Java, and other third-party software. Check that your patch management program covers the full application stack, not just Windows updates.

5. Review Remote Desktop exposure. The Remote Desktop Gateway RCE vulnerability means any RDP infrastructure exposed to the internet is at elevated risk. Confirm that RDP access is restricted to VPN connections and that Network Level Authentication (NLA) is enabled.

6. Validate your backups. Patching sometimes causes unexpected issues with legacy applications. Before deploying updates to production servers, verify that your backup and disaster recovery systems have a current, tested restore point.

Stop Chasing Patches Every Month

A 168-patch release is large, but it is not unusual. Microsoft has shipped 100+ patches in a single Patch Tuesday multiple times over the past two years. Every month, the cycle repeats: Microsoft releases patches, your team scrambles to evaluate and deploy them, and critical fixes compete with day-to-day operations for attention.

This is exactly the kind of operational burden that automated patch management eliminates. Instead of your internal team manually evaluating, testing, and deploying 168 patches across every server and workstation, a managed patching program handles the entire cycle automatically. Patches are tested for compatibility, deployed during scheduled maintenance windows, and verified across your environment.

If you want patch deployments like this handled automatically for your business, with built-in rollback capability so that a problematic update can be reversed without scrambling, that is exactly what Infonaligy’s managed IT services deliver. Our team uses ConnectWise Automate alongside Azure and AWS patch management tools to deploy updates on a predictable schedule, monitor for failures, and roll back any patch that causes issues before it affects your operations. You get a monthly compliance report showing exactly what was patched, when, and on which systems, with no gaps and no guesswork.

One prevented breach pays for years of managed security. More importantly, it eliminates the recurring monthly fire drill that pulls your IT staff away from work that actually grows your business.

Next Steps

1. Patch the SharePoint zero-day now. CVE-2026-32201 is actively exploited and CISA’s remediation deadline is today (April 28, 2026). This is the single most urgent action.
2. Deploy the full April cumulative update to all Windows servers and workstations this week.
3. Check Microsoft 365 compliance in your admin center and push any deferred Office updates.
4. Audit third-party applications for outdated versions, especially browsers and PDF readers.
5. Evaluate your patching program. If your team is still doing this manually every month, contact us at 800-985-1365 to discuss a managed approach that eliminates the backlog permanently.