Microsoft Patch Tuesday April 2026: 167 CVEs, Active SharePoint Zero-Day, and Wormable Networking RCEs

April 2026 is a high-volume cycle with 167 CVEs from Microsoft, plus another 344 released throughout the month for a total of 512 updates. This is the largest Patch Tuesday release in years. The good news: only 2 zero-days, and the threat profile is more manageable than the volume suggests. The bad news: one zero-day is actively exploited in SharePoint Server, and we have 8 Critical-rated Remote Code Execution vulnerabilities across Office, Remote Desktop, TCP/IP, Active Directory, and core networking components.

The heaviest concentration of risk sits in Office products and Windows networking infrastructure, which means most organizations face two separate high-urgency patching tracks this cycle. We are flagging seven CVEs for priority action.

Zero-Day CVEs: Actively Exploited and Publicly Disclosed

Critical-Rated Vulnerabilities by Category

Microsoft Office / 365 Apps — 3 Critical RCEs

ThreatHunter Priority: PATCH NOW — Preview pane exploitable / Broad enterprise exposure

Multiple Critical-rated Remote Code Execution vulnerabilities across Office and Word. The most dangerous detail: these can be triggered through the preview pane in Outlook and File Explorer. Users do not need to open the document. Just previewing a malicious attachment fires the exploit.

Office RCE via preview pane has been weaponized consistently since at least 2017. The 2023 Storm-0978 campaign against European defense contractors used exactly this vector. More recently, the 2024 targeting of aerospace supply chain organizations relied on Excel RCE combined with macro-less execution. The combination of Word and Office-wide RCE in a single cycle is the profile most likely to appear in phishing campaigns within 30 days.

Identity/AD Impact: Indirect — post-exploitation credential harvesting is standard follow-on

Notable CVEs: CVE-2026-32190 (Microsoft Office RCE), CVE-2026-33115 (Word RCE), CVE-2026-33114 (Word RCE)

Windows Remote Desktop and Core Networking — 4 Critical RCEs

ThreatHunter Priority: PATCH NOW — Network exploitable / No user interaction required / Wormable

Four Critical RCE vulnerabilities in core Windows components: Remote Desktop Client, TCP/IP stack, Internet Key Exchange (IKE) extensions, and Active Directory. These are wormable-class vulnerabilities. No user interaction required. An attacker with network access can compromise systems remotely.

Windows networking RCE has produced some of the most damaging exploits in history. EternalBlue (CVE-2017-0144) was a TCP/IP-adjacent SMB RCE that enabled WannaCry and NotPetya. BlueKeep (CVE-2019-0708) was RDP RCE. Zerologon (CVE-2020-1472) touched Active Directory authentication. When Microsoft rates networking RCE as Critical, it means the blast radius is significant and exploitation does not require phishing or social engineering.

The presence of Active Directory RCE (CVE-2026-33826) is particularly concerning. Compromising AD over the network is the fastest path to full domain control. Prioritize domain controllers for patching.

Identity/AD Impact: YES — Active Directory RCE is direct domain compromise; TCP/IP and IKE RCE enable lateral movement to AD infrastructure

Notable CVEs: CVE-2026-32157 (Remote Desktop Client RCE), CVE-2026-33827 (TCP/IP RCE), CVE-2026-33824 (IKE RCE), CVE-2026-33826 (Active Directory RCE)

.NET Framework Denial of Service — 1 Critical CVE

ThreatHunter Priority: HIGH — DoS / Unauthenticated / Public-facing services at risk

A Critical-rated Denial of Service vulnerability in .NET Framework. Microsoft does not hand out Critical ratings for DoS vulnerabilities unless the impact is severe. This likely affects public-facing .NET applications, API gateways, and authentication portals. An unauthenticated attacker can crash the service remotely.

In 2022, we saw targeted DoS against .NET-based SSO portals used as a smokescreen for follow-on intrusion attempts. The attacker crashes the auth service, users cannot log in, IT scrambles to restore service, and detection visibility drops during the chaos.

High-Priority Important-Rated Vulnerabilities

Desktop Window Manager — 5 CVEs (EoP Cluster)

ThreatHunter Priority: HIGH — Clustered research finding

Five separate privilege escalation vulnerabilities in Desktop Window Manager. When you see this many CVEs in a single component in one cycle, it means a researcher did a deep dive and found multiple related flaws. The clustering suggests these are variations on a theme, which means once one is weaponized, the others will follow quickly.

Desktop Window Manager sits in the graphics and window composition layer. Exploiting it enables sandbox escape and privilege escalation from low-integrity processes. This is the type of vulnerability used in multi-stage exploits where the attacker chains an initial RCE with a local privilege escalation to gain full control.

Universal Plug and Play (UPnP) Device Host — 8 CVEs

ThreatHunter Priority: HIGH — RCE + EoP + InfoDisc / Network-exposed service

Eight vulnerabilities affecting UPnP including Remote Code Execution, privilege escalation, and information disclosure. UPnP is a network-exposed service often enabled by default on consumer routers and some enterprise network devices. The combination of RCE and network exposure makes this a priority for internet-facing systems.

UPnP has been exploited by botnets and worm malware for over a decade. The 2020 CallStranger vulnerability (CVE-2020-12695) was used for DDoS amplification and server-side request forgery. Any time UPnP gets an RCE, assume botnet operators will weaponize it.

Windows Function Discovery Service — 4 CVEs

ThreatHunter Priority: MEDIUM — EoP / Local exploit

Four privilege escalation vulnerabilities in Windows Function Discovery Service. This service handles network device and resource discovery. Compromising it can enable lateral movement and network enumeration from a compromised endpoint.

Critical Third-Party Updates

ThreatHunter.ai Coverage and Mitigation

ARGOS MDR: Active monitoring for SharePoint spoofing attempts, Office RCE exploitation indicators, Remote Desktop and networking exploitation detection, PDF and browser-based attack detection, and post-exploitation lateral movement monitoring across all customer environments.

MILBERT: Anomalous SharePoint authentication patterns, privilege escalation detection, compromised credential identification, session hijacking and token manipulation detection, and MFA anomaly detection.

TACT-IO: Automated scanning for unpatched April 2026 CVEs, Microsoft Defender version compliance verification, Office and SharePoint patch status tracking, Adobe product version inventory, and prioritized remediation workflows based on active exploitation status.

GEIGER: Mapping exposure from vulnerable SharePoint servers to critical data, domain controller compromise scenarios from Active Directory RCE, lateral movement paths from Desktop Window Manager exploitation, and risk quantification for unpatched UPnP-exposed systems.

JAXBERT CMMC: Organizations pursuing CMMC certification must apply security updates within required timeframes (typically 30 days for high/critical vulnerabilities). JAXBERT tracks patch deployment status and generates POA&M entries for overdue remediations automatically.

ThreatHunter Recommendations This Cycle

Questions on this advisory or prioritization guidance for your environment? Contact your ThreatHunter.ai analyst or reach us at support@threathunter.ai.