CXO

Corporate Employees Targeted by Vidar Malware

The purpose of Vidar malware is to infiltrate systems and deploy a payload to extract sensitive data.

Microsoft April 2026 Patch Tuesday- Fixes 165 Flaws including 2 Zero-Days

Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.

The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.

The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.

Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.

OEM	Microsoft
Severity	Critical
Date of Announcement	2026-04-14
No. of Vulnerability	165
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).

Here are the CVE addresses for Microsoft April 2026:

165 Microsoft CVEs
82 Non Microsoft CVEs

Breakdown of April 2026 Vulnerabilities

93 Elevation of Privilege (EoP)
20 Remote Code Execution
21 Information Disclosure
10 Denial of Service (DoS)
9 Spoofing
13 Security Feature Bypass

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCE	CVE-2026-33824	Windows IKE Service	Critical	9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)	CVE-2026-33827	Windows TCP/IP Stack	Critical	9.8
Windows Active DirectoryRemote Code Execution	CVE-2026-33826	Windows Active Directory	Critical	9.1
Remote Desktop Client Remote Code Execution	CVE-2026-32157	Remote Desktop Client	High	8.8
Microsoft Office Remote Code Execution (Preview Pane)	CVE-2026-32190	Microsoft Office	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33114	Microsoft Word	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33115	Microsoft Word	High	8.4

Technical Summary

This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.

The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.

The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.

Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.

This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-33824	Windows IKE Service Extensions	Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required	Remote Code Execution
CVE-2026-32190	Microsoft Office	Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file	Remote Code Execution
CVE-2026-33114 / 33115	Microsoft Word	Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains	Remote Code Execution
CVE-2026-32157	Remote Desktop Client	RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios	Remote Code Execution
CVE-2026-33827	Windows TCP/IP Stack	Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks	Remote Code Execution
CVE-2026-33826	Windows Active Directory	Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining	Remote Code Execution

Key Affected Products and Services

April 2026 updates address vulnerabilities across:

Windows Core Components

Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.

Microsoft Office Suite

Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.

SharePoint & Collaboration

SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.

Microsoft Defender

A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.

.NET Framework & Developer Tools

.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.

Azure & Cloud Services

Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.

SQL Server

Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.

Remediation:

Apply April 2026 security updates on all Windows systems as a priority

Here are some recommendations

Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
Ensure Microsoft Defender and other security components are updated to the latest platform versions.
Review network exposure and apply temporary mitigations where patching may be delayed.
Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.

Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.

References:

https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-Apr
https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

CISCO Vulnerability Allows RCE in its Smart Software Manager on-Premise

CVE-2026-20160, Vulnerability in CISCO’s smart software manager may allows attackers to gain complete control over the affected system without needing authentication which is gaining prior access to exploit the system. The CVSS severity score of 9.8 out of 10, indicating its high risk level.

Authentication and access controls play a crucial role in web application and system security. What can happen?

Data theft
System compromise
Privilege escalation

CISCO’s Smart Software Manager Flaw

In this case the vulnerability exposure allowed unauthorized access, as attackers do not need login credentials when a hacker can execute arbitrary commands on the operating system. Further escalating by creating crafted request to the service’s API. The vulnerability impacted certain versions of the Cisco SSM On-Prem environments, particularly software releases from 9-202502 to 9-202510.

Remediation for organizations

Organizations can prevent authentication bypass through regular patching, multi-factor authentication, encryption, and strong password policies.

The vulnerability did not impact CISCO’s smart software newly released version 9-202601 includes a patch that fixes the flaw.

Cisco advises to upgrade to version 9-202601 immediately, as there are no current workarounds or temporary mitigations to block potential attacks.

For IT teams notes include devices meet the necessary memory and hardware specifications before proceeding with the update.

Key findings from CVE-2026-20160 Vulnerability

The vulnerability was discovered internally by Cisco’s Technical Assistance Center (TAC) team and they found no immediate exploitations in the wild

With the disclosure can motivate hackers to reverse-engineer the patch and search for vulnerable systems. Following Cisco’s guidelines and maintaining up-to-date security measures will be essential in mitigating risks associated and stop any kind of data breaches.

Conclusion:

Research shows that, making timely patching critical for authentication security is essential and failing to do that can lead to data breaches.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.

Sources: Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability

Microsoft 365 Copilot Defect Exposes AI Summarizes of Confidential Emails

Microsoft 365 Copilot Vulnerability Bypasses DLP Policies, Summarizes Confidential Emails; Bug Tracked CW1226324

Summary :

A recently disclosed issue in Microsoft 365 Copilot caused the AI assistant to summarize confidential emails despite sensitivity labels and Data Loss Prevention (DLP) policies being configured.

The bug, tracked under CW1226324, allowed Copilot’s “Work Tab” chat feature to process and summarize emails from Sent Items and Draft folders, even when those emails carried confidentiality labels designed to restrict automated access.

Microsoft findings

Microsoft’s investigation revealed a code-level defect as the root cause. The flaw allows Copilot to inadvertently pick up items stored in users’ Sent Items and Draft folders, bypassing the confidentiality labels applied to those messages.

Although Microsoft categorized the issue as an advisory with potentially limited scope, the incident raises significant concerns regarding AI governance, trust boundaries, and enterprise data protection controls.

As per CSN the flaw allows Copilot to inadvertently pick up items stored in users’ Sent Items and Draft folders, ignoring the confidentiality labels applied to those messages.

Vulnerability Details

The issue happened because of an internal coding mistake in Microsoft 365 Copilot’s Work Tab chat feature. Due to this error, Copilot was able to access emails stored in Sent and Draft folders, even if they were marked as confidential.

In normal conditions, sensitivity labels and DLP policies should block automated tools from processing such emails.

However, because of this flaw, Copilot treated those protected emails as regular content and created summaries from them until Microsoft began deploying a fix in February 2026.

Attack Flow

Step	Description
Configuration	Organization applies confidentiality labels and DLP policies to sensitive emails.
Storage	Emails are stored in Sent Items or Draft folders.
Trigger	User interacts with Copilot “Work Tab” Chat.
Processing	Due to the code bug, Copilot accesses labeled emails.
Exposure	Copilot generates summaries of confidential content, bypassing expected DLP enforcement.

Source:0din

Why It’s Effective

DLP Control Bypass: AI processing occurred despite policy enforcement.

Trust Boundary Violation: Copilot acted as a privileged internal processor without honoring classification restrictions.

Compliance Risk: Potential regulatory implications under GDPR, HIPAA, ISO 27001, and industry frameworks.

AI Governance Gap: Demonstrates that AI systems must be independently validated against traditional security controls.

Broader Implications

This issue shows that AI tools inside business software can sometimes ignore security rules, even when protection like DLP and sensitivity labels are properly set. It proves that AI systems can create new risk areas that traditional security controls may not fully cover.

As more companies use AI assistants in daily work, security teams must regularly test and monitor how AI handles sensitive data. AI should be treated like a powerful internal system that needs strict oversight, not just a simple productivity feature.

Remediation:

Microsoft has initiated a fixed rollout and is monitoring deployment progress. However, organizations should take proactive measures:

Validate that sensitivity labels are now properly enforced with Copilot.

Audit Copilot usage logs and AI interaction history.

Re-test DLP enforcement across Sent and Draft folders.

Update AI governance documentation and risk registers.

Conduct tabletop exercises covering AI-driven data exposure scenarios.

Conclusion:
This incident highlights that AI integrations can introduce unexpected security gaps, even in well-configured enterprise environments. Organizations cannot assume that existing security controls will automatically work the same way with AI-powered features.

As AI adoption increases, companies must strengthen AI governance, continuously validate security policies, and monitor AI behavior just like any other critical system. Proactive testing and oversight are essential to prevent future data exposure risks.

Bypassing DLP policies by AI aided assistants signals huge security gap which needs to be addressed at enterprise level as AI tool taking over enterprise security posture cannot be undermined.

References: