APRIL Patch Tuesday fixes two zero-days, including one under active attack, remediating 167 vulnerabilities in total. The first flaw, CVE-2026-32201, has a CVSS score of 6.5 and is an improper input validation issue in Microsoft Office SharePoint that could allow an unauthorised attacker to spoof information over a network; one attacker could view and alter disclosed information, and the vulnerability is being exploited in the wild.
The second zero-day, CVE-2026-33825, carries a CVSS score of 7.8 and is an elevation of privilege vulnerability in Microsoft Defender’s anti-malware platform, enabling a local attacker to escalate to SYSTEM and disable security tools, install malware, harvest credentials, and move laterally. According to Microsoft, a zero-day is a flaw for which no official patch or security update is available yet, which helps explain why these two high‑priority issues have drawn attention. The report also notes that public disclosure of the second flaw often lowers the bar for exploitation, reinforcing the need to apply the fixes promptly.