Microsoft has released its latest Patch Tuesday updates, addressing more than 160 security vulnerabilities across its products, including a zero-day flaw in Microsoft SharePoint Server that has been actively exploited in the wild.
The vulnerability, tracked as CVE-2026-32201, is classified as a spoofing issue, which stems from improper input validation. It could allow an unauthorized attacker to perform spoofing attacks over a network and gain access to sensitive information.
Microsoft has not disclosed who is behind the attacks or what kind of operations the flaw was exploited in. Based on the limited technical details provided, it’s possible that the flaw could be used in combination with other vulnerabilities as part of an attack chain.
In addition to the SharePoint zero-day, Microsoft also patched a publicly disclosed privilege-escalation flaw (CVE-2026-33825) affecting Microsoft Defender.
The US cybersecurity agency CISA has already added CVE-2026-32201 to its KEV catalog, as well as an older Microsoft Office remote code execution vulnerability (CVE-2009-0238). The latter flaw could be exploited by a remote attacker via a specially crafted Excel file containing a malformed object for code execution with privileges of the current user.
Among other patched vulnerabilities are two high-severity issues in Windows Hello (CVE-2026-27906 and CVE-2026-27928) that could be abused to access sensitive information or bypass the MFA required for Windows Hello for Business PIN provisioning, respectively. The April 2026 Patch Tuesday release also fixes multiple high-risk flaws in Windows Shell.
Users and administrators are strongly advised to apply the latest patches as soon as possible to mitigate potential risks.