🀠 April Patch Tuesday Is a Five-Alarm Fire

163 CVEs, a wormable 9.8, and your antivirus is the vulnerability 🀠

Author

Stetson Blake
April 28, 2026

Sponsored by

This is an IT Support Group

Tuesday Deep Dive 🀠

163 CVEs. A wormable 9.8. An AD RCE. Three Defender zero-days. Two still unpatched. Sleep is optional.

GM IT pros!

Happy Tuesday! Welcome to the deep dive β€” where we pick one topic and rip it apart so you don't have to read 47 security advisories before your coffee kicks in.

-Stetson

April Patch Tuesday Is a Five-Alarm Fire

163 CVEs, a wormable RCE, Active Directory under siege, and your antivirus might be working against you

The Big Picture: Why This One Matters More Than Most

Every month I tell you to patch. Every month some of you don't. I get it β€” change windows are tight, testing takes time, and half your fleet is still running something that should've been retired during the Obama administration.

But April 2026 Patch Tuesday is different. Microsoft just dropped its second-largest Patch Tuesday ever β€” 163 CVEs across Windows, Office, SharePoint, .NET, Azure, Defender, SQL Server, and more. Eight are rated critical. Two were already being exploited as zero-days before the patches even dropped. And the crown jewel? A CVSS 9.8 wormable RCE that requires zero authentication, zero user interaction, and hits every Windows box running IPsec or VPN.

If you manage Windows infrastructure, this is your "cancel the afternoon meetings" moment. Let me walk you through what matters, what to patch first, and what Microsoft still hasn't fixed.

πŸ”₯ The Headliner: CVE-2026-33824 β€” Wormable IKE RCE (CVSS 9.8)

Let's start with the one that should have you reaching for the emergency change request form.

CVE-2026-33824 is a critical double-free memory corruption bug in Windows Internet Key Exchange (IKE) Service Extensions. In plain English: an unauthenticated attacker can send specially crafted UDP packets to port 500 or 4500 and achieve SYSTEM-level remote code execution on any Windows host with IKEv2 enabled.

Read that again. No credentials required. No user interaction. Network-accessible. Low complexity. That's the CVSS 9.8 trifecta.

If you're running IPsec VPN tunnels, site-to-site connections, or DirectAccess (yes, some of you still are), your servers are listening on those ports right now. This is the kind of vulnerability that worm authors dream about β€” one packet, full SYSTEM access, and it can propagate across every reachable host.

What to do right now:

β†’ Patch immediately: every supported Windows version is affected
β†’ If you can't patch today, block inbound UDP 500/4500 from untrusted sources
β†’ If you don't use IKE at all, disable the IKEEXT service
β†’ Audit your firewall rules β€” these ports should never be open to the internet without strict source filtering

🏒 The Enterprise Nightmare: CVE-2026-33826 β€” Active Directory RCE (CVSS 8.0)

As if a wormable IKE bug wasn't enough, Microsoft also patched a remote code execution vulnerability in Active Directory itself. CVE-2026-33826 exploits improper input validation in AD's RPC handling.

An authenticated attacker β€” even one with low-privilege credentials β€” can send a crafted RPC call to a domain controller and execute code with the same permissions as the RPC service. Microsoft's assessment: "Exploitation More Likely." And there are already five public proof-of-concept exploits on GitHub.

The attack requires adjacency to the target's restricted AD domain, so this isn't an "anyone on the internet can pop your DC" scenario. But let's be real β€” if an attacker has any foothold in your network and a set of compromised credentials (which, statistically, they probably do), your domain controllers are fair game.

Every major Windows Server version is affected: 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025. Standard and Server Core.

What to do right now:

β†’ Patch your DCs first β€” they are the keys to the kingdom
β†’ Apply KB5082063 (Server 2025), KB5082142 (Server 2022), KB5082123, KB5082198, KB5082126 for older versions
β†’ Enforce network segmentation to restrict RPC access to domain controllers
β†’ Review your privileged access strategy β€” even low-privilege accounts can trigger this

πŸ•΅οΈ The Sneaky One: CVE-2026-32202 β€” Windows Shell Zero-Day (Actively Exploited by APT28)

Here's where it gets spicy. Microsoft quietly revised its advisory on April 27th β€” yesterday β€” to confirm that CVE-2026-32202, a Windows Shell spoofing vulnerability, has been actively exploited in the wild.

The backstory makes it worse. This flaw is actually an incomplete patch for an earlier vulnerability (CVE-2026-21510) that was already being weaponized by APT28 β€” Russia's military intelligence hackers β€” in campaigns targeting Ukraine and EU nations. Microsoft fixed the original RCE, but left behind an authentication coercion flaw that enables zero-click credential theft via auto-parsed .LNK files.

Translation: a malicious shortcut file lands on your system, Windows Shell automatically parses it, and your credentials get coerced to an attacker-controlled server. No clicks required. The user doesn't even have to open the file β€” just browsing to the folder containing it is enough.

The CVSS score is only 4.3, which is why this probably flew under your radar. Don't let the low score fool you β€” it's being used by a nation-state actor right now.

What to do right now:

β†’ Patch, obviously
β†’ Block outbound NTLM authentication to external hosts (you should be doing this already)
β†’ Monitor for suspicious .LNK file creation in user-accessible shares
β†’ If you haven't disabled NTLM where possible... this is your sign

πŸ›‘οΈ The Plot Twist: Your Antivirus Is the Vulnerability

This is the part that hurts. Three zero-day exploits targeting Microsoft Defender itself were confirmed actively exploited as of April 10th. Microsoft has patched one. Two remain unpatched across all supported Windows versions.

The patched one is BlueHammer (CVE-2026-33825, CVSS 7.8) β€” a time-of-check to time-of-use race condition in Defender's threat remediation engine. The attack uses opportunistic locks to pause Defender mid-operation, then redirects a SYSTEM-level file write to C:\Windows\System32, allowing an attacker to overwrite system binaries and achieve SYSTEM privileges. CISA added it to the Known Exploited Vulnerabilities catalog on April 22nd with a federal patch deadline of May 6th.

The two unpatched ones β€” nicknamed RedSun and UnDefend β€” are still being tracked by Huntress. No CVEs assigned yet. No patches available. Your endpoint protection product is, in these specific scenarios, an attack surface.

What to do right now:

β†’ Apply the BlueHammer patch (CVE-2026-33825) immediately
β†’ For RedSun and UnDefend: monitor Huntress and Microsoft advisories for updates
β†’ Consider layered endpoint protection β€” don't rely solely on Defender
β†’ Review your EDR alerting for suspicious oplock behavior and System32 file modifications

πŸ“‹ The Triage Cheat Sheet

Because I know you're going to forward this to your team and say "handle it," here's the priority order:

πŸ”΄ CRITICAL β€” Patch This Week (ideally today):
1. CVE-2026-33824 β€” IKE wormable RCE (CVSS 9.8) β€” every VPN/IPsec host
2. CVE-2026-33826 β€” Active Directory RCE (CVSS 8.0) β€” every domain controller
3. CVE-2026-33825 β€” BlueHammer Defender privilege escalation (CVSS 7.8) β€” every endpoint

🟠 HIGH β€” Patch This Week:
4. CVE-2026-32202 β€” Windows Shell zero-day (actively exploited by APT28)
5. CVE-2026-32201 β€” SharePoint zero-day (actively exploited in the wild)

🟑 MONITOR β€” No Patch Available Yet:
6. RedSun β€” Defender zero-day (unpatched)
7. UnDefend β€” Defender zero-day (unpatched)

For the full list of 163 CVEs, Tenable and CrowdStrike both have excellent breakdowns linked in the sources below.

🧠 The Bigger Takeaway

This Patch Tuesday is a case study in why "we'll get to it next maintenance window" doesn't cut it anymore. We've got a wormable RCE, an Active Directory code execution bug with public PoCs, a nation-state exploiting an incomplete patch, and the security product that's supposed to protect you being turned into a privilege escalation tool.

The attack surface isn't shrinking. The time between disclosure and exploitation isn't growing. And the gap between "patch available" and "patch applied" is where breaches live.

If you're fighting with change management boards about emergency patching windows, forward them this newsletter. If they still say no, forward them your resume β€” because you'll need it after the incident report.

🐚 A Quick Word From The Shameless Plug Department

You know what helps when you need to rapidly triage 163 CVEs across a fleet? Actually knowing your way around a terminal. Shell Samurai is an interactive Linux CLI learning app I built for exactly this β€” hands-on practice with the commands you actually use in production. Basic plan is $30, Complete is $60. Check it out here. Shameless plug, zero regrets.

In a World of AI Agents: Intent > Identity

AI-powered bots aren’t just logging in anymore. They’re mimicking real users, slipping past identity checks, and scaling attacks faster than ever.

Thousands of companies worldwide trust hCaptcha to protect their online services from automated threats while preserving user privacy.

Now is the time to take control of your security.

Sources & Further Reading:

That's the deep dive for this week. Go patch something.

Stay paranoid. Stay patched. See you Friday 🀠

-Stetson