Sharepoint

Microsoft April 2026 Patch Tuesday- Fixes 165 Flaws including 2 Zero-Days

Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.

The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.

The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.

Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.

OEM	Microsoft
Severity	Critical
Date of Announcement	2026-04-14
No. of Vulnerability	165
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).

Here are the CVE addresses for Microsoft April 2026:

165 Microsoft CVEs
82 Non Microsoft CVEs

Breakdown of April 2026 Vulnerabilities

93 Elevation of Privilege (EoP)
20 Remote Code Execution
21 Information Disclosure
10 Denial of Service (DoS)
9 Spoofing
13 Security Feature Bypass

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCE	CVE-2026-33824	Windows IKE Service	Critical	9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)	CVE-2026-33827	Windows TCP/IP Stack	Critical	9.8
Windows Active DirectoryRemote Code Execution	CVE-2026-33826	Windows Active Directory	Critical	9.1
Remote Desktop Client Remote Code Execution	CVE-2026-32157	Remote Desktop Client	High	8.8
Microsoft Office Remote Code Execution (Preview Pane)	CVE-2026-32190	Microsoft Office	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33114	Microsoft Word	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33115	Microsoft Word	High	8.4

Technical Summary

This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.

The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.

The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.

Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.

This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-33824	Windows IKE Service Extensions	Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required	Remote Code Execution
CVE-2026-32190	Microsoft Office	Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file	Remote Code Execution
CVE-2026-33114 / 33115	Microsoft Word	Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains	Remote Code Execution
CVE-2026-32157	Remote Desktop Client	RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios	Remote Code Execution
CVE-2026-33827	Windows TCP/IP Stack	Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks	Remote Code Execution
CVE-2026-33826	Windows Active Directory	Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining	Remote Code Execution

Key Affected Products and Services

April 2026 updates address vulnerabilities across:

Windows Core Components

Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.

Microsoft Office Suite

Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.

SharePoint & Collaboration

SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.

Microsoft Defender

A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.

.NET Framework & Developer Tools

.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.

Azure & Cloud Services

Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.

SQL Server

Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.

Remediation:

Apply April 2026 security updates on all Windows systems as a priority

Here are some recommendations

Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
Ensure Microsoft Defender and other security components are updated to the latest platform versions.
Review network exposure and apply temporary mitigations where patching may be delayed.
Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.

Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.

References:

https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-Apr
https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

Microsoft Teams Access Token Vulnerability Allows Attack Vector for Data Exfiltration

Summary: Microsoft Teams Access Token Vulnerability: New Attack Vector for Data Exfiltration

A recently uncovered vulnerability in Microsoft Teams for Windows allows attackers with local access to extract encrypted authentication tokens, granting unauthorized access to chats, emails and SharePoint files.

This technique, detailed by researcher Brahim El Fikhi on October 23, 2025, leverages the Windows Data Protection API (DPAPI) to decrypt tokens stored in a Chromium-like Cookies database.

Attackers can use these tokens for impersonation, lateral movement, or social engineering, bypassing recent security enhancements and posing significant risks to enterprise environments.

Vulnerability Details

The vulnerability, identified in Microsoft Teams desktop applications, involves the extraction of encrypted access tokens stored in the SQLite Cookies database at %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Cookies. Unlike earlier versions that stored tokens in plaintext (a flaw exposed by Vectra AI in 2022), current versions use AES-256-GCM encryption protected by DPAPI, tied to user or machine credentials. However, attackers with local access can decrypt these tokens using tools like ProcMon and Mimikatz, exploiting the embedded msedgewebview2.exe process that handles authentication via login.microsoftonline.com.

Source: blog.randorisec.fr, cybersecuritynews
Attack Flow

Step	Description
Craft	Attackers use ProcMon to monitor msedgewebview2.exe and identify the Cookies database write operations.
Access	The ms-teams.exe process is terminated to unlock the Cookies file, which is locked during operation.
Extract	The encrypted token is retrieved from the Cookies database, with fields like host_key (e.g., teams.microsoft.com), name, and encrypted_value (prefixed with “v10”).
Decrypt	The DPAPI-protected master key is extracted from %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Local State and decrypted using Windows APIs or tools like Mimikatz.
Exploit	Decrypted tokens are used with tools like GraphSpy to access Teams chats, send messages, read emails, or interact with SharePoint via Microsoft Graph API

Why It’s Effective

Local Access Exploitation: The attack requires only local access, achievable via malware or compromised endpoints, bypassing MFA and remote defenses.
Stealthy Execution: The use of standard Windows APIs (DPAPI) and embedded browser processes evades traditional monitoring.
Authority Abuse: Tokens enable impersonation through trusted APIs, amplifying risks of phishing or data theft via Teams, Outlook, or SharePoint.

Recommendations:

Monitor Processes – Deploy EDR rules to detect abnormal ms-teams.exe terminations or msedgewebview2.exe file writes.
Enforce Encryption – Use app-bound encryption and prefer web-based Teams to avoid local token storage.
Token Rotation – Implement Entra ID policies to rotate access tokens regularly and audit Graph API logs for anomalies.
Limit Privileges – Restrict local admin access to prevent DPAPI key extraction.
User Awareness – Train users to recognize phishing attempts via Teams or email, especially those leveraging impersonation

Conclusion:
This vulnerability underscores the evolving threat landscape for collaboration platforms like Microsoft Teams. As attackers refine techniques to exploit trusted systems, organizations must enhance endpoint monitoring and adopt stricter access controls. By implementing the outlined mitigations, security teams can reduce the risk of token-based attacks and safeguard sensitive data.

References:

Kaspersky reveals SharePoint ToolShell vulnerabilities stem from incomplete 2020 fix.

Kaspersky’s Global Research and Analysis Team (GReAT) discovered that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint originate from an incomplete fix for CVE-2020-1147, first reported in 2020.

IntruceptLabs have published the security advisory https://intruceptlabs.com/2025/07/toolshell-zero-day-exploits-in-microsoft-sharepoint-enable-full-remote-takeover/ on 21st July 2025.

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid active exploitation. Kaspersky Security Network showed exploitation attempts worldwide, including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors.

Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

Share point Vulnerabilities a major cyber threat

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid
active exploitation. Kaspersky Security Network showed exploitation attempts worldwide,
including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. Kaspersky solutions proactively detected and blocked ToolShell attacks before the vulnerabilities were publicly disclosed.

Kaspersky GReAT researchers analyzed the published ToolShell exploit and found it alarmingly similar to the 2020 CVE-2020-1147 exploit.

This suggests that the CVE-2025- 53770 patch is, in fact, an effective fix for the vulnerability that CVE-2020-1147 attempted to address five years ago.
The connection to CVE-2020-1147 became evident following the discovery of CVE-2025- 49704 and CVE-2025-49706, patched on July 8. However, these fixes could be bypassed by adding a single forward slash to the exploit payload.

Once Microsoft learned of active exploitation of these vulnerabilities, they responded with comprehensive patches that addressed potential bypass methods, designating the vulnerabilities as CVE-2025-53770 and CVE-2025-53771.

The surge in attacks against SharePoint servers worldwide occurred during the window between initial exploitation and full patch deployment. Despite patches now being available for the ToolShell vulnerabilities, Kaspersky expects attackers will continue exploiting this chain for years to come.

“Many high-profile vulnerabilities remain actively exploited years after discovery —
ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today.

We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit
will soon appear in popular penetration testing tools, ensuring prolonged use by attackers,”
said Boris Larin, principal security researcher at Kaspersky GReAT.

Do connect with us for any queries https://intruceptlabs.com/contact/

(Source: Read full report on Read the full report on Securelist.com)

ToolShell Zero-Day Exploits in Microsoft SharePoint Enable Full Remote Takeover

Summary : Security Advisory

Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

OEM	Microsoft
Severity	Critical
CVSS Score	9.8
CVEs	CVE-2025-53770, CVE-2025-53771
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
SharePoint Server Remote Code	CVE-2025-53770	SharePoint Server (on-prem)	Critical	9.8
Execution Vulnerability	CVE-2025-53771	SharePoint Server (on-prem)	Medium	6.3

Technical Summary

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers.

ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild.

The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey which are used to sign the VIEWSTATE payloads.

With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-53770	SharePoint 2016, 2019	Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads	Remote Code Execution, full system compromise
CVE-2025-53771	SharePoint 2016, 2019	Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques	Persistent access without credentials

Remediation: To mitigate potential attacks customers should follow:

Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately:

Apply Security Updates:

SharePoint Server 2019: KB5002741

SharePoint Server 2016: KB5002744

SharePoint Subscription Edition: KB5002768

Enable AMSI Protection:

Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint.

AMSI was turned on by default in Sept 2023 updates for 2016/2019.

Rotate Cryptographic Keys:

Use Update-SPMachineKey (PowerShell) or Central Admin.

Restart IIS using iisreset.exe after key rotation.

Deploy Endpoint Protection:

Use Microsoft Defender for Endpoint or equivalent XDR tools.

CISA Alert and Advisory Inclusion:

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure.

Indicators of Compromise (IOCs):

Type	Value (Obfuscated/Generalized)	Description
IP Address	107.191.58[.]76, 104.238.159[.]149	Observed in initial and second attack waves
User-Agent	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0	User-Agent string seen in exploitation requests
URL Path	POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx	Exploit entry point targeting ToolPane

Conclusion:
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.

The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity.

References: