Source: Qualys Security Blog
Author: Diksha Ojha
URL: https://blog.qualys.com/vulnerabilities-threat-research/2026/04/14/microsoft-and-adobe-patch-tuesday-april-2026-security-update-review
ONE SENTENCE SUMMARY:
April 2026 Patch Tuesday fixes 247 Microsoft flaws and 56 Adobe bugs, including exploited zero-days, emphasizing rapid enterprise patching today.
MAIN POINTS:
- Microsoft remediated 247 vulnerabilities: eight critical and 154 important across its ecosystem.
- Two zero-days were addressed, including one publicly disclosed and one exploited in-the-wild.
- Edge (Chromium) resolved 80 additional issues earlier in the month, separate from Patch Tuesday.
- Elevation-of-privilege dominated counts, totaling 93 important-severity vulnerabilities this cycle.
- Remote code execution totaled 20 issues, including seven rated critical.
- CVE-2026-33825 allows Defender local privilege escalation via insufficient access-control granularity.
- CVE-2026-32201 enables SharePoint network spoofing and appears in CISA’s KEV catalog.
- Critical RCE patches include Remote Desktop Client, Active Directory RPC, TCP/IP IPv6, and IKEv2 components.
- Notable bypass and spoofing fixes affect Windows Hello, Boot Loader, Shell, BitLocker, and Remote Desktop.
- Adobe issued 12 advisories covering 56 flaws; 38 are critical across major creative/server products.
TAKEAWAYS:
- Prioritize patching the exploited SharePoint spoofing and Defender privilege-escalation zero-days first.
- Focus remediation on RCE surfaces exposed to networks, especially TCP/IP, IKEv2, AD, and RDP.
- Address privilege-escalation weaknesses broadly, since they represent the largest vulnerability category.
- Incorporate Adobe updates into the same sprint, given high criticality and code-execution impact.
- Align operations with May 12’s next Patch Tuesday while tracking KEV-driven deadlines and SLAs.