Microsoft Patched 167 Vulnerabilities Today. One CVE Has Been Exploited Since December.

This is the headline vulnerability of the April patch cycle, and it did not come from Microsoft. Adobe issued an emergency out-of-band patch on April 11 — three days before Patch Tuesday — for CVE-2026-34621, a prototype pollution vulnerability in Adobe Acrobat Reader that enables arbitrary code execution when a victim opens a specially crafted PDF file.

The critical detail is the timeline. Security researcher Haifei Li, founder of EXPMON — a sandbox-based system for detecting advanced file-based exploits — flagged the vulnerability after a suspicious PDF sample was submitted to the platform on March 26. Analysis of related samples on VirusTotal traced exploitation back to at least November 28, 2025. Adobe's emergency patch arrived April 11, 2026. That is a minimum of four months of active exploitation with no patch available.

The exploit mechanism is a prototype pollution attack — a class of vulnerability in JavaScript that allows attackers to manipulate an application's objects by modifying shared prototype attributes. In Acrobat Reader's implementation, successful exploitation allows privileged Acrobat APIs to be called, enabling the exploit to read arbitrary files accessible to the sandboxed Reader process, harvest system information, and beacon to a command-and-control server. A second stage can deliver remote code execution and sandbox escape.

Gi7w0rm, a threat intelligence analyst, noted that the malicious PDFs used Russian-language lures referencing current events in Russia's oil and gas industry. CISA added CVE-2026-34621 to the KEV catalog on April 13, 2026, with a federal remediation deadline of April 27.

The second actively exploited zero-day is CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server that enables unauthenticated network-based spoofing. CISA added it to the KEV catalog on April 14, 2026 — the same day as the patch — with a federal remediation deadline of April 28.

The vulnerability has a CVSS score of 6.5, which understates operational risk. The score reflects a spoofing vulnerability with confidentiality and integrity impact, but no requirement for authentication or special privileges — meaning any attacker with network access to an on-premises SharePoint instance can exploit it. A spoofed, trusted SharePoint environment is a highly effective phishing surface for credential harvesting or malware delivery to employees who trust intranet content implicitly.

Critically, this vulnerability affects on-premises SharePoint only. SharePoint Online and Microsoft 365 are not impacted. Organisations running on-premises SharePoint 2016, 2019, or Subscription Edition need to act today. If patching cannot happen immediately, consider taking the affected SharePoint servers off public-facing internet exposure as an interim measure.

The second zero-day — CVE-2026-33825 in Microsoft Defender — was publicly known before today's patch. The researcher who discovered it published working exploit code after growing frustrated with Microsoft's response timeline. BlueHammer exploits insufficient access-control granularity in Defender to elevate a low-privilege local account to full SYSTEM access.

While public disclosure means this was not a stealth zero-day like the SharePoint flaw, the availability of working exploit code prior to the patch significantly elevates risk. Any threat actor with an existing foothold in an environment could use BlueHammer to escalate to SYSTEM, then pivot, exfiltrate data, disable security tooling, or move laterally. Will Dormann of Tharros confirmed the public exploit code no longer works after installing today's patches.

Beyond the three emergency-tier patches, four more vulnerabilities carry wormable or near-wormable potential and require accelerated deployment on servers and infrastructure.

April 2026 is the second-largest Patch Tuesday in Microsoft's history by CVE count. Dustin Childs of Trend Micro's Zero Day Initiative noted publicly that many vulnerability research programmes are experiencing a significant increase in AI-assisted submissions. 'For us, our incoming rate has essentially tripled, making triage a challenge, to say the least,' he wrote. Adam Barnett of Rapid7 described the April total as 'a new record in that category' once browser vulnerabilities are included, and attributed the increase directly to AI capabilities in vulnerability discovery.

The same dynamic that is producing more CVE reports is also producing faster weaponisation. Attackers are now reverse-engineering patches within 24 hours of release — a pattern consistently documented across Q1 2026 — and using AI tooling to accelerate the path from patch diff to working exploit. This is the structural backdrop behind 'Exploit Wednesday': the day after Patch Tuesday when unpatched systems become actively targeted based on reversed patch content.

Nine actively exploited zero-days from Microsoft across Q1 2026 is a material escalation from historical norms. The cadence reflects a sustained offensive posture by multiple well-resourced threat actors probing Microsoft's stack, combined with an AI-accelerated discovery pipeline generating more findings faster than the patch cycle was designed to absorb.

Today is Patch Tuesday. Tomorrow is Exploit Wednesday.

This phrase has existed in the security industry for years. What has changed in 2026 is the timeline. When this concept was coined, 'Exploit Wednesday' was a general warning about deployment lag. Today it is a literal operational window. Threat actors with AI-assisted reverse engineering capabilities are diffing Microsoft's patches within hours and building functional exploits the same day.

For the three actively exploited vulnerabilities in today's release — the Adobe zero-day, the SharePoint zero-day, and BlueHammer — the answer must be today, not this week. For CVE-2026-33824 (IKE, CVSS 9.8) and CVE-2026-33827 (TCP/IP wormable), apply firewall mitigations now and patch within 48 hours. The question is not whether to patch. It is whether your deployment process is fast enough to close the window before it becomes an entry point.

Attackers reverse-engineer patches within 24 hours of release. Your patch deployment timeline is your exposure window. Measure it.