CVE-2026-32201
PUBLISHED
KEV
CVSS 5.400000095367432 MEDIUM
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.
The CCB would like to point your attention to following vulnerabilities:
CVE-2026-32201: Microsoft Sharepoint (Zero-day, Actively exploited)
Spoofing Vulnerability. Microsoft does not specify how this zero-day vulnerability is being exploited. However, according to Zero Day Initiative, spoofing bugs in Sharepoint often manifest as cross-site scripting (XSS) bugs. An attacker who successfully exploited the vulnerability could view some sensitive information and make changes to disclosed information.
Note that there is another vulnerability affecting Sharepoint included in this Patch Tuesday. CVE-2026-20945 is also a spoofing vulnerability and it can be exploited via cross-site scripting. Microsoft indicates that there might be multiple update packages for this software and all applicable updates should be installed.
CVE-2026-33825: Microsoft Defender (Zero-Day)
Elevation of Privilege vulnerability. This flaw, rated as important, lies in insufficient granularity of access control in Microsoft Defender, which allows an authorized attacker to elevate privileges locally. The description of the flaw matches that of BlueHammer, a zero-day exploit code released publicly earlier in April. Note that no action is required to install this update as this happens automatically.
CVE-2026-33826: Windows Active Directory
Remote Code Execution Vulnerability. There is a critical flaw in Windows Active Directory where improper input validation allows an authorized attacker to execute code over an adjacent network. To exploit this vulnerability, an authenticated attacker would need to send a specially crafted RPC call to an RPC host, resulting in code execution with the same permissions as the RPC host. The attacker needs to be in the same restricted Active Directory domain as the target system for exploitation to be successful.
Given the prevalence of Active Directory in enterprise environments, threat actors are likely to attempt to use this vulnerability to establish a foothold for lateral movement inside organizations, steal data and deploy malware. Note that Microsoft assesses exploitation to be “more likely”.
CVE-2026-33824: Windows Internet Key Exchange (IKE) Service Extensions
Remote Code Execution Vulnerability. This critical vulnerability can be exploited by an unauthenticated attacker by sending crafted packets to a target with IKE version 2 enabled. Mitigation exists if immediate patching cannot be performed, namely in the form of firewall rules. Microsoft assesses exploitation to be “less likely”.
CVE-2026-33827: Windows TCP/IP
Remote Code Execution Vulnerability. There is a race condition that allows a remote, unauthorized attacker to achieve code execution without user interaction. Successful exploitation of a machine requires the unauthenticated attacker to send specially crafted IPv6 packet to a Windows node where IPSec is enabled. Microsoft assesses exploitation to be “less likely”.
CVE-2026-27913: Windows Bitlocker
Security Feature Bypass Vulnerability. This vulnerability is rated as important. It lies in improper input validation in Windows BitLocker. Successful exploitation could allow an attacker to bypass Secure Boot, a UEFI firmware security feature used to allow only trusted and properly signed software runs during the startup process. Microsoft assesses exploitation to be “more likely”.
CVE-2026-26151: Windows Remote Desktop
Spoofing Vulnerability. There is insufficient ui warning of dangerous operations in Windows Remote Desktop that allows an unauthorized attacker to perform spoofing over a network. Successful exploitation requires the user to view attacker-controlled content. To achieve this, a remote attacker could send the targeted user a specially crafted file. Microsoft assesses exploitation to be “more likely”.
Starting with the April 2026 Security Update, users will receive a warning when attempting to open a Remote Desktop Protocol (RDP) file. More information about it can be found here: https://go.microsoft.com/fwlink/?linkid=2347342
