Privilege Elevation Dominates Massive Microsoft Patch Update

VULNERABILITIES & THREATS APPLICATION SECURITY THREAT INTELLIGENCE NEWS Privilege Elevation Dominates Massive Microsoft Patch Update Elevation-of-privilege bugs accounted for more than half of the 165 vulnerabilities patched, with two zero-days in that mix. Jai Vijayan,Contributing Writer April 14, 2026 5 Min Read SOURCE: TOMEQS VIA SHUTTERSTOCK It's another all hands on deck Patch Tuesday.  Microsoft released patches for a near record 165 CVEs, one of which attackers are already actively exploiting and another that's publicly known but so far remains unexploited. Microsoft assessed 19 of the newly disclosed vulnerabilities as flaws that attackers are more likely to exploit, meaning they need high-priority attention. In keeping with a relatively recent trend, nearly 60% of the patched flaws this month are elevation-of-privilege bugs, followed by remote code execution (RCE) flaws and information disclosure bugs. Elevation of Privilege Bugs Galore "Elevation of privilege bugs continue to dominate the Patch Tuesday cycle over the last eight months, accounting for a record 57% of all CVEs patched in April," said Satnam Narang, senior staff research engineer at Tenable, in emailed comments. "RCE vulnerabilities have dropped to just 12%, tied with information disclosure vulnerabilities this month." The 165 flaws Microsoft patched this month fall just short of the 175 vulnerabilities disclosed in October 2025. At this pace, the company in 2026 could once again surpass 1,000 vulnerability disclosures in a single year, Narang added. Related:EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses The zero-day that attackers are actively exploiting is CVE-2026-32201 (CVSS: 6.5), a spoofing vulnerability in Microsoft SharePoint Server that gives attackers a way to view and modify sensitive information. Attackers can abuse the flaw to spoof trusted content or interfaces over a network, said Mike Walters, president and co-founder of Action1, in a statement. "By exploiting this flaw, an attacker can manipulate how information is presented to users, potentially tricking them into trusting malicious content," Walters said. "While the direct impact on data is limited, the ability to deceive users makes this a powerful tool for broader attacks." The other zero-day vulnerability (publicly disclosed, proof-of-concept available, but yet-to-be-exploited) is CVE-2026-33825 (CVSS: 7.8), one of more than 90 elevation-of-privilege bugs in this month's set. The bug affects Microsoft's built-in Defender antimalware platform. An attacker who successfully exploits the flaw can gain system-level privileges on affected devices. Organizations that have configured their Defender instances to receive automatic updates are already patched against the flaw and need to take no additional action besides verifying they have received the update, Microsoft said. The vulnerability is one that attackers are more likely to exploit according to Microsoft. Related:'BlueHammer' Windows Zero-Day Exploit Signals Microsoft Bug Disclosure Issues Jack Bicer, director of vulnerability research at Action1, perceived the flaw as one that attackers will likely chain with other exploits to expand initial access on an affected system. "CVE-2026-33825 significantly increases risk in environments where attackers have already gained a foothold," and gives adversaries a way to gain total control over vulnerable endpoints. According to Tyler Reguly, associate director of security R&D at Fortra, CVE-2026-33825 also appears to be the vulnerability involved in the BlueHammer proof-of-concept exploit that a researcher recently publicly disclosed, while citing unhappiness with Microsoft's response to his bug disclosure. A Handful of Critical Bugs Microsoft assessed only eight of the vulnerabilities in its massive patch update as being of critical severity — the vast majority of the others it ranked as being of moderate or "Important" severity.  Among the critical vulnerabilities is CVE-2026-33824 (CVSS: 9.8) an unauthenticated RCE flaw in Windows Internet Key Exchange (IKE) Service Extensions, a Windows component associated with encrypted network connections. Microsoft wants organizations affected by the flaw to either install the patch immediately or block incoming traffic on UDP ports 500 and 4500 for systems that do not use IKE. "For systems that require IKE, configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses," Microsoft advised. Related:Fortinet Issues Emergency Patch for FortiClient Zero-Day CVE-2026-33827 (CVSS: 8.1), is another unauthenticated RCE vulnerability affecting Windows secure tunneling and authentication components that operate above the TCP/IP layer. "It is rare that you see a truly remote TCP/IP vulnerability these days and that's exactly what CVE-2026-33827 is," Reguly said in a statement. "The attack complexity is listed as high because the vulnerability is based on a race condition as well as 'additional actions,' as Microsoft calls it, but it is still impressive to see these vulnerabilities identified in 2026." CVE-2026-33114 (CVSS 8.4) and CVE-2026-33115 (CVSS: 8.4), both RCE flaws in Microsoft Word, are two other vulnerabilities that Microsoft rated as critical, though it assessed the chances of attackers actually exploiting them as low. Meanwhile, the vulnerabilities that the company thinks attackers are more likely to exploit included CVE-2026-26151 (CVSS: 7.1), a spoofing vulnerability in Windows Desktop; CVE-2026-26169 (CVSS: 6.1), an information disclosure flaw affecting Windows Kernel memory; and CVE-2026-27906 (CVSS: 4.4), a Windows Hello security bypass vulnerability. Dozens of Edge and Chromium Fixes Mat Lee, senior security engineer at Automox, highlighted nearly 80 Microsoft Edge and Chromium patches that Microsoft republished this week as part of its April 2026 security update. "Edge and Chromium patches are far easier to deploy than SQL Server or SharePoint updates," Lee said via emailed comments. "There are no database migrations, no downtime windows, and no complex dependency chains. You can push browser updates across your fleet in minutes, making this a low-effort, high-return patching target." With as many as 80 fixes to address, organizations should not let the minimal disruption caused by a browser restart to stop them from addressing the vulnerabilities right away, he said. Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now! About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications 2026 CISO AI Risk Report QKS AI Maturity Matrix KuppingerCole Business Application Risk Management Leadership Compass Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like VULNERABILITIES & THREATS Cursor Issue Paves Way for Credential-Stealing Attacks by Elizabeth Montalbano, Contributing Writer NOV 17, 2025 VULNERABILITIES & THREATS Cisco's Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS by Alexander Culafi SEP 25, 2025 VULNERABILITIES & THREATS Nearly 2,000 MCP Servers Possess No Security Whatsoever by Nate Nelson, Contributing Writer JUL 18, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE