Microsoft published a higher-than-usual list of fixes for CVEs as part of its monthly Patch Tuesday update round yesterday, including two zero-day vulnerabilities.
One of these, CVE-2026-32201, is being actively exploited in the wild.
It is described as a server spoofing vulnerability in SharePoint whereby improper input validation allows an unauthorized attacker to perform spoofing over a network.
“By exploiting this flaw, an attacker can manipulate how information is presented to users, potentially tricking them into trusting malicious content. While the direct impact on data is limited, the ability to deceive users makes this a powerful tool for broader attacks,” explained Action1 president, Mike Walters.
“It can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments. This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise.”
Read more on Patch Tuesday: Microsoft Fixes Two Publicly Disclosed Zero-Days.
The second zero-day has been publicly disclosed but not exploited at this time.
CVE-2026-33825 is an elevation of privilege (EoP) vulnerability in Microsoft Defender that could enable a threat actor to gain system-level access.
Jack Bicer, director of vulnerability research at Action1, warned that the CVE could be chained with others in real-world attacks.
“CVE-2026-33825 significantly increases risk in environments where attackers have already gained a foothold,” he added.
“Once exploited, it allows full control over endpoints, enabling data exfiltration, disabling security tools, and lateral movement across networks. Even environments with strong perimeter defenses are at risk if internal systems are compromised.”
EoP Bugs Dominate April
In fact, EoP vulnerabilities are by far the largest category of CVEs this month, amounting to 93 flaws. Information disclosure (21), remote code execution (20) and security feature bypass (13) comprise the next-largest categories by volume.
Walters urged sysadmins to also look at CVE-2026-33824. With a CVSS score of 9.8, the remote code execution flaw is the most dangerous on paper this month and impacts the Windows Internet Key Exchange (IKE) service.
Threat actors could exploit the vulnerability remotely by sending specially crafted network packets, with internet-facing IKEv2 systems particularly at risk, he said.
“This issue poses a serious threat to enterprise environments, especially those relying on VPN or IPsec for secure communications,” Walters continued. “Successful exploitation can result in complete system compromise, allowing attackers to steal sensitive data, disrupt operations, or move laterally across the network.”
