Post-Patch Tuesday Roundup: April 2026
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Post-Patch Tuesday Roundup: April 2026

Softcat’s April 2026 Patch Tuesday summary highlights updates from major vendors including Microsoft, Adobe, Cisco, SAP, Ivanti, IBM, Fortinet, and Apple, as they release patches addressing a wide range of vulnerabilities across their respective platforms.

Post patch tuesday image 1

Philip Odjidja

Vulnerability Engineer

This release includes zero‑day disclosures, some of which are under active exploitation.

 

Microsoft  

Microsoft addressed 165 CVEs in its April 2026 Patch Tuesday update, including 2 zero-day vulnerabilities. Eight rated as critical, 7 of which are remote code execution flaws and the other is a denial of service flaw, 154 as important, and one as moderate. This marks the second-largest Patch Tuesday release to date, approaching the record of 167 CVEs set in October 2025.

Zero Day Vulnerability:

CVE-2026-32201 - an actively exploited Microsoft SharePoint spoofing vulnerability caused by improper input validation that allows unauthenticated attackers to impersonate trusted entities over the network, making it important to patch promptly despite its “Important” severity rating.   Microsoft has not disclosed how this vulnerability was exploited in attacks or who disclosed it.

CVE-2026-33825 - An Elevation of privilege vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and was rated important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available. While Microsoft’s advisory made no mention of public exploit code, the description appears to match a zero-day exploit, known as BlueHammer, with code posted to GitHub on April 3rd.

Microsoft has addressed the flaw in the Defender Antimalware Platform update version 4.18.26050.3011, which will automatically be downloaded to systems.

Windows users can manually install it by going to Windows Security > Virus & threat protection > Protection Updates, then clicking Check for updates.

Critical 

There were eight critical vulnerabilities addressed this month, primarily remote code execution (RCE) issues affecting core Windows components and services. While Microsoft’s official list is extensive, the key critical vulnerabilities CVE-2026-33826 and CVE-2026-33824.

CVE-2026-33826 -  A critical remote code execution vulnerability in Windows Active Directory with a CVSSv3 score of 8 and a “Exploitation More Likely” rating from Microsoft, where an authenticated attacker can execute code by sending a specially crafted RPC request to a vulnerable host, though exploitation requires the attacker to be within the same restricted Active Directory domain as the target system.

CVE-2026-33824 is a critical remote code execution vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions, with a CVSSv3 score of 9.8, that can be exploited by an unauthenticated attacker sending specially crafted packets to systems with IKEv2 enabled. Microsoft’s advisory includes some mitigations that can be applied in the event immediate patching cannot be performed. This includes firewall rules for UDP ports 500 and 4500.

The other six critical vulnerabilities are CVE-2026-32190, CVE-2026-33115 , CVE-2026-33114, CVE-2026-32149, CVE-2026-33827 and CVE-2026-32157

Important

CVE-2026-27913 - A security feature bypass vulnerability in Windows BitLocker, with a CVSSv3 score of 7.7, that could allow an attacker to bypass Secure Boot—a UEFI firmware protection ensuring only trusted, signed software runs during startup; although no active exploitation has been observed, Microsoft rates it as “Exploitation More Likely.”

CVE-2026-26151 is a spoofing vulnerability in Remote Desktop. It was assigned a CVSS v3 score of 7.1 and rated important. Microsoft assesses this vulnerability as more likely to be exploited. An attacker could exploit this vulnerability by convincing a target to open a crafted file. This vulnerability was credited to the United Kingdom's National Cyber Security Centre (NCSC).

Previously, users would not receive any warning when attempting to open a Remote Desktop Protocol (RDP) file. However, starting with the April 2026 Security Update, users will now receive more sufficient warning dialogues when interacting with potentially malicious RDP files.

CVE-2026-20945 is an information disclosure vulnerability in Microsoft Windows that could allow an attacker to access sensitive data due to improper handling of memory or system resources; it is rated as Important, and while it does not directly enable code execution, it could be used alongside other vulnerabilities  like CVE-2026-32201  to aid further attacks.

Update from other Vendors

Adobe released 12 security updates  in its April 2026 Patch Tuesday, addressing 61 vulnerabilities (CVEs) across multiple products. The update includes products like Illustrator, Reader, Acrobat, Photoshop, Bridge, ColdFusion, AdobeConnect, FrameMaker, AEM, InCopy, and InDesign.

 

Cisco

In April 2026, Cisco released multiple security advisories addressing vulnerabilities across various enterprise products, including critical issues such as authentication bypass, command injection, and remote code execution affecting infrastructure management systems. The key critical vulnerabilities are CVE-2026-20093 and CVE-2026-20160

 

Fortinet

Fortinet released patches for several products, most notably addressing CVE‑2026‑35616 a critical FortiClient EMS vulnerability that attackers are actively exploiting.

 

SAP

SAP released its April security updates across multiple products, including a critical SQL injection vulnerability affecting SAP Business Planning and Consolidation as well as SAP Business Warehouse.

 

Ivanti

Ivanti’s April 2026 update cycle includes multiple security advisories across its enterprise product suite, addressing a set of vulnerabilities including remote code execution, SQL injection, and authentication-related flaws, with several issues rated high to critical severity and requiring immediate patching in affected environments.

 

IBM

IBM’s April 2026 security advisories cover vulnerabilities across several products, including:

IBM API Connect

IBM DB2

IBM Cloud Pak for Integration components

IBM App Connect / App Connect Enterprise

IBM watsonx / automation products

 

Apple

Apple has expanded a backported security update for iOS 18 (notably iOS 18.7.7) so that more iPhones still running iOS 18 can receive patches for the actively exploited “DarkSword” exploit chain, without requiring users to upgrade to a newer major iOS version like iOS 26.

As always, users are recommended to apply the latest security updates as soon as possible to protect their systems from potential threats.