Microsoft Patched 167 Vulnerabilities Today. One CVE Has Been Exploited Since December.
Two zero-days. One actively exploited SharePoint flaw added to CISA's KEV catalog today. And the real headline: Adobe Acrobat Reader has been silently exploited in the wild since at least November 2025, four months before a patch existed. PDF files. In every inbox. On every endpoint.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Today is Patch Tuesday and it is the second-largest in Microsoft's history. Two zero-days. One actively exploited SharePoint flaw added to CISA's Known Exploited Vulnerabilities catalog today. And the real headline: Adobe Acrobat Reader has been silently exploited in the wild since at least November 2025, four months before a patch existed. PDF files. In every inbox. On every endpoint.
Not all 167 vulnerabilities require the same urgency. Three require action today, not this week: the Adobe zero-day (CVE-2026-34621), the SharePoint zero-day (CVE-2026-32201), and BlueHammer (CVE-2026-33825), the Defender privilege escalation for which working exploit code was publicly available before today's patch. Two more, a wormable IKE flaw with CVSS 9.8 and a potentially wormable TCP/IP RCE, require action within 48 hours on any infrastructure with IKE or IPv6+IPSec enabled.
CVE-2026-34621: the Adobe zero-day that ran for four months before a patch
This is the headline vulnerability of the April patch cycle, and it did not come from Microsoft. Adobe issued an emergency out-of-band patch on April 11, three days before Patch Tuesday, for CVE-2026-34621, a prototype pollution vulnerability in Adobe Acrobat Reader that enables arbitrary code execution when a victim opens a specially crafted PDF file.
The critical detail is the timeline. Security researcher Haifei Li, founder of EXPMON, a sandbox-based system for detecting advanced file-based exploits, flagged the vulnerability after a suspicious PDF sample was submitted to the platform on March 26. Analysis of related samples on VirusTotal traced exploitation back to at least November 28, 2025. Adobe's emergency patch arrived April 11, 2026. That is a minimum of four months of active exploitation with no patch available.
The exploit mechanism is a prototype pollution attack, a class of vulnerability in JavaScript that allows attackers to manipulate an application's objects by modifying shared prototype attributes. In Acrobat Reader's implementation, successful exploitation allows privileged Acrobat APIs to be called, enabling the exploit to read arbitrary files accessible to the sandboxed Reader process, harvest system information, and beacon to a command-and-control server. A second stage can deliver remote code execution and sandbox escape.
Gi7w0rm, a threat intelligence analyst, noted that the malicious PDFs used Russian-language lures referencing current events in Russia's oil and gas industry. CISA added CVE-2026-34621 to the KEV catalog on April 13, 2026, with a federal remediation deadline of April 27.
“The sample abuses a zero-day vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs. It calls util.readFileIntoStream() to read arbitrary files accessible to the sandbox, collects system telemetry including the Acrobat Reader version, and sends it to a C2 server. The capability to fingerprint and escalate suggests this is an initial access stage, not a final payload.”
EXPMON researcher Haifei Li, original disclosure
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
CVE-2026-32201: the SharePoint zero-day in active exploitation today
The second actively exploited zero-day is CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server that enables unauthenticated network-based spoofing. CISA added it to the KEV catalog on April 14, 2026, the same day as the patch, with a federal remediation deadline of April 28.
The vulnerability has a CVSS score of 6.5, which understates operational risk. The score reflects a spoofing vulnerability with confidentiality and integrity impact, but no requirement for authentication or special privileges, meaning any attacker with network access to an on-premises SharePoint instance can exploit it. A spoofed, trusted SharePoint environment is a highly effective phishing surface for credential harvesting or malware delivery to employees who trust intranet content implicitly.
Critically, this vulnerability affects on-premises SharePoint only. SharePoint Online and Microsoft 365 are not impacted. Organisations running on-premises SharePoint 2016, 2019, or Subscription Edition need to act today. If patching cannot happen immediately, consider taking the affected SharePoint servers off public-facing internet exposure as an interim measure.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
CVE-2026-33825 (BlueHammer): the Defender privilege escalation with a public exploit
The second zero-day, CVE-2026-33825 in Microsoft Defender, was publicly known before today's patch. The researcher who discovered it published working exploit code after growing frustrated with Microsoft's response timeline. BlueHammer exploits insufficient access-control granularity in Defender to elevate a low-privilege local account to full SYSTEM access.
While public disclosure means this was not a stealth zero-day like the SharePoint flaw, the availability of working exploit code prior to the patch significantly elevates risk. Any threat actor with an existing foothold in an environment could use BlueHammer to escalate to SYSTEM, then pivot, exfiltrate data, disable security tooling, or move laterally. Will Dormann of Tharros confirmed the public exploit code no longer works after installing today's patches.
“What starts as a foothold can quickly become full system domination. Once exploited, it allows full control over endpoints, enabling data exfiltration, disabling security tools, and lateral movement across networks.”
Jack Bicer, Action1, on CVE-2026-33825 (BlueHammer)
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Other critical vulnerabilities requiring action within 48 hours
Beyond the three emergency-tier patches, four more vulnerabilities carry wormable or near-wormable potential and require accelerated deployment on servers and infrastructure.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why 167 CVEs? The AI-driven vulnerability discovery acceleration
April 2026 is the second-largest Patch Tuesday in Microsoft's history by CVE count. Dustin Childs of Trend Micro's Zero Day Initiative noted publicly that many vulnerability research programmes are experiencing a significant increase in AI-assisted submissions. 'For us, our incoming rate has essentially tripled, making triage a challenge, to say the least,' he wrote. Adam Barnett of Rapid7 described the April total as 'a new record in that category' once browser vulnerabilities are included, and attributed the increase directly to AI capabilities in vulnerability discovery.
The same dynamic that is producing more CVE reports is also producing faster weaponisation. Attackers are now reverse-engineering patches within 24 hours of release, a pattern consistently documented across Q1 2026, and using AI tooling to accelerate the path from patch diff to working exploit. This is the structural backdrop behind 'Exploit Wednesday': the day after Patch Tuesday when unpatched systems become actively targeted based on reversed patch content.
Nine actively exploited zero-days from Microsoft across Q1 2026 is a material escalation from historical norms. The cadence reflects a sustained offensive posture by multiple well-resourced threat actors probing Microsoft's stack, combined with an AI-accelerated discovery pipeline generating more findings faster than the patch cycle was designed to absorb.
The bottom line
Today is Patch Tuesday. Tomorrow is Exploit Wednesday.
This phrase has existed in the security industry for years. What has changed in 2026 is the timeline. When this concept was coined, 'Exploit Wednesday' was a general warning about deployment lag. Today it is a literal operational window. Threat actors with AI-assisted reverse engineering capabilities are diffing Microsoft's patches within hours and building functional exploits the same day.
For the three actively exploited vulnerabilities in today's release, the Adobe zero-day, the SharePoint zero-day, and BlueHammer, the answer must be today, not this week. For CVE-2026-33824 (IKE, CVSS 9.8) and CVE-2026-33827 (TCP/IP wormable), apply firewall mitigations now and patch within 48 hours. The question is not whether to patch. It is whether your deployment process is fast enough to close the window before it becomes an entry point.
Attackers reverse-engineer patches within 24 hours of release. Your patch deployment timeline is your exposure window. Measure it.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
How many CVEs were patched in Microsoft's April 2026 Patch Tuesday?
Microsoft patched 167 CVEs in April 2026, making it the second-largest Patch Tuesday in history. Two are zero-days, and one Adobe Acrobat Reader flaw (CVE-2026-34621) was actively exploited since November 2025.
What is CVE-2026-34621?
CVE-2026-34621 is a critical prototype pollution vulnerability in Adobe Acrobat Reader that enables arbitrary code execution via crafted PDF files. It was exploited in the wild for at least four months before Adobe issued an emergency patch on April 11, 2026.
What should I patch first from April 2026 Patch Tuesday?
Patch CVE-2026-34621 (Adobe Acrobat Reader RCE), CVE-2026-32201 (SharePoint zero-day), and CVE-2026-33825 (BlueHammer Defender privilege escalation) immediately. Then address the wormable IKE flaw (CVSS 9.8) and TCP/IP RCE within 48 hours.
What is the BlueHammer vulnerability (CVE-2026-33825)?
CVE-2026-33825, nicknamed BlueHammer, is a privilege escalation vulnerability in Microsoft Defender that allows a local attacker to elevate to SYSTEM privileges. Public exploit code was available before Microsoft's April 2026 patch shipped, meaning any attacker who already has a foothold in your environment can use it to escalate immediately. It is a second-stage attack multiplier: patch it the same day as Patch Tuesday.
Which April 2026 vulnerabilities are wormable?
Two April 2026 CVEs carry wormable potential: a flaw in the Windows IKE (Internet Key Exchange) protocol rated CVSS 9.8, and a TCP/IP remote code execution vulnerability. Both can be exploited without authentication and without user interaction on systems with IKE or IPv6 plus IPSec enabled. Wormable means a single compromised machine can scan for and attack other vulnerable machines automatically, as seen in WannaCry and NotPetya. Patch within 48 hours or disable IKE where it is not needed.
Sources & references
- Microsoft April 2026 Security Update Guide
- Adobe APSB26-43 (April 11, 2026)
- CISA KEV Catalog
- Zero Day Initiative, April 2026 Security Update Review
- Rapid7 April 2026 Patch Tuesday Analysis
- EXPMON / Haifei Li
- Action1 / Jack Bicer
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
