It's April 14, which means one of two things is about to ruin your day: taxes or patches. If you're one of those overachievers who filed back in January, congratulations, you only have one crisis to deal with today. For the rest of us, we're juggling Microsoft updates and a desperate search for receipts we swore we saved somewhere. At least with Patch Tuesday, Microsoft tells you exactly what's broken. The IRS just lets you figure that out on your own.
Let's put the W-2s aside for a moment and take a look at what Microsoft is delivering this month. Spoiler alert: I wouldn’t expect any refunds.
Severity
Total exploits patched: 163
Critical patches: 8
Important: 154
Moderate: 1
Low: 0
Vulnerability impact
Remote code execution: 20
Elevation of privilege: 93
Information disclosure: 20
Spoofing: 8
Tampering: 1
Denial of service: 9
Feature bypass: 12
Availability
Publicly disclosed: 1
Actively exploited: 1
Some highlights (or lowlights)
CVE-2026-33824: Our highest-rated CVE of the month is CVE-2026-33824, a critical remote code execution vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions, coming in at a 9.8. For those unfamiliar, IKE handles VPN and IPsec negotiations, so this one hits close to home for anyone relying on those services. With a network attack vector and no privileges or user interaction required, this is about as bad as it gets without already being exploited in the wild. If you run VPN or IPsec services on your Windows servers, stop reading and start patching.
CVE-2026-32190: Microsoft Office is under siege this month. CVE-2026-32190 is one of three critical Office RCE vulnerabilities rated 8.4, joined by two critical Word RCEs. But that's just the tip of the iceberg. Below the surface, there are seven more RCE vulnerabilities rated 7.8 spread across Word, Excel, and PowerPoint, plus a couple of information disclosure CVEs for good measure. That's thirteen Office-related vulnerabilities in a single release. At this point, Microsoft Office has more holes than my tax return. If your organization runs Office, prioritize the three critical patches and then work your way down. If your organization runs Google Workspace, congratulations on dodging this particular bullet. Again.
CVE-2026-33825 & CVE-2026-32201: We're wrapping up with a two-for-one featuring our only publicly known and actively exploited CVEs this month. CVE-2026-33825 is a publicly known elevation of privilege vulnerability targeting Microsoft Defender. Yes, the thing that's supposed to protect you needs protecting. The irony is not lost on me. Meanwhile, CVE-2026-32201 is a SharePoint Server spoofing vulnerability that's already being actively exploited in the wild. Neither of these are rated particularly high, but "publicly known" and "actively exploited" are phrases that should get your attention regardless of the CVSS score.
Other notable mentions
This month is absolutely dominated by elevation of privilege vulnerabilities, with roughly 93 of the 167 CVEs falling into that category. That's over half the release dedicated to keeping bad actors from climbing the privilege ladder. Also worth noting, print spooler made yet another appearance with CVE-2026-33101 and CVE-2026-32084, proving once again that PrintNightmare's legacy is the gift that keeps on giving. And finally, WSUS picked up three CVEs of its own this month (CVE-2026-26154, CVE-2026-26174, CVE-2026-32224), which is hilarious for a service that is stuck in this weird deprecated, not deprecated limbo.
Wrapping up
That wraps up another Patch Tuesday recap. Between taxes and patch deployments, sysadmins have their hands full this month.
And if you find yourself struggling to get your patch management under control, PDQ Connect can help streamline or even automate the entire process for you. You're on your own with the IRS though. I'm not a CPA; I just patch things.
