Microsoft shipped 167 security fixes on Tuesday 14 April 2026. Two of them cover zero-days that attackers are already exploiting, including one in SharePoint. If your business runs Microsoft 365, or any on-premises SharePoint server, you need the April updates installed before the weekend.
The SharePoint Zero-Day: CVE-2026-32201
The main zero-day is CVE-2026-32201, a spoofing flaw in SharePoint Server. An attacker can make SharePoint treat them as a trusted user, then read sensitive files or quietly edit them without tripping any alarms.
The vulnerability affects SharePoint Server 2016, 2019, Subscription Edition, and any hybrid setup where on-premises SharePoint connects back to Microsoft 365.
This is where most Australian SMEs keep their real business. Contracts, client files, HR records, signed policies. An attacker with spoofed access could rewrite a supplier's bank details on an invoice before it goes out, copy your client list, or drop a poisoned link into a document your staff already trust.
Microsoft has confirmed the flaw is being exploited right now.
If you run SharePoint Server on-premises, or a hybrid tenant, this patch is the priority job for the week.
The Second Zero-Day: Microsoft Defender (CVE-2026-33825)
The second zero-day is CVE-2026-33825, an elevation-of-privilege flaw inside Microsoft Defender itself. The tool most businesses use to protect a Windows laptop can, in this case, be used against them.
An attacker who already has a foothold on a user's machine, perhaps via a phishing click or a compromised browser session, can use this flaw to jump from a regular user account to SYSTEM. That is full control. From a SYSTEM shell they can switch Defender off, pull credentials out of memory, and move laterally to other machines.
Microsoft ships the fix as Antimalware Platform update 4.18.26030.3011. It usually installs automatically, but confirm rather than assume. Run Get-MpComputerStatus in PowerShell on a few machines and check the version.
Other critical fixes worth flagging
Beyond the two zero-days, a few other CVEs deserve attention this month.
CVE-2026-33827 is a remote code execution flaw in Windows TCP/IP. An attacker on the same network can run code on an unpatched machine without any user interaction. CVE-2026-33826 is an RCE in Active Directory, which in most Windows business networks acts as the master keyring. If AD falls, everything falls. CVE-2026-33824 is an RCE in the Windows IKE service and matters mainly if your team uses VPN to get back to the office network.
Word and Excel also picked up several RCE fixes, triggered by opening a malicious document. That is a realistic attack for any business that routinely receives attachments from suppliers or clients, which is most businesses.
What to actually do this week
A practical checklist for any Australian SME.
Confirm Windows Update ran everywhere. Ask your IT provider to push the April cumulative updates to every staff laptop, desktop, and server. If you manage devices through Microsoft Intune, deploy the April update ring now instead of waiting for the normal schedule. Every device should show an install date of 15 April or later.
Prioritise SharePoint Server if you run it. If your business has on-premises SharePoint or a hybrid configuration, this one is priority one. Log into the server, apply the April 2026 security update from Microsoft's download centre, restart the SharePoint service, and then check the authentication logs for anything unusual in the last two weeks. If you are not sure whether you have SharePoint Server (which is different from SharePoint Online inside Microsoft 365), ask your IT provider today.
Check Defender is on the patched platform. Pick a handful of staff machines, run Get-MpComputerStatus in PowerShell, and confirm AMEngineVersion and AMProductVersion are current. If any machine is stuck on an old build, push the update manually.
Remind staff about attachments. With fresh Office RCE flaws in the wild, send a short email to the team. Two rules: if a Word or Excel file turns up unexpectedly, call the sender before opening it. Never click Enable Editing or Enable Content on a document from outside the business. Anything suspicious goes to IT unopened.
Keep a patch log. Write down which devices and servers were updated, and when. A shared spreadsheet is fine. If an incident does happen later, that log saves hours of investigation and is often asked for by insurers and the OAIC.
Monthly patching is not enough any more
2026 has already served up four Chrome zero-days, a critical FortiClient EMS flaw, and now two exploited Microsoft zero-days in a single Patch Tuesday. Attackers are not waiting for anyone's monthly maintenance window.
The old rhythm, where an IT provider picks up critical patches "on the first Tuesday of next month", is now risky. Once a patch ships, attackers often have working exploits within hours.
A small business cyber security posture that keeps up needs a few things: automated patching that applies critical updates within 48 hours, someone specifically responsible when an emergency fix drops, a way to confirm patches actually landed rather than just being scheduled, and a rollback plan for the rare occasion a Microsoft update causes problems.
If your current IT arrangement does not look like this, April is a reasonable month to raise it.
April's Patch Tuesday is unusually heavy. A SharePoint zero-day is being exploited in the wild, a Defender flaw hands attackers full control of a Windows machine, and several network-level RCE bugs sit underneath. Every business running Microsoft products should have the April updates installed across every laptop, desktop, and server by the end of this week.
If nothing else, ask your IT provider two things. Have the April 2026 updates been applied everywhere, and how fast could you patch if the next critical flaw landed on a Friday night. The answers tell you where you actually stand.
If you want help getting ahead of this, talk to Cubit Cyber. We help Australian businesses patch faster and stop flaws turning into incidents.