BLOG | SECURITY OPERATIONS

Patch Tuesday: April 2026 (Expel’s version)

Subscribe

By Ben Nahorney, Matt Jastram

April 14, 2026  •  3 minute read



alt=""

TL;DR

  • This month’s Patch Tuesday includes 167 CVEs, with CVE-2026-32201 (SharePoint) and CVE-2026-33825 (Defender) standing out as high-priority items.
  • The Axios NPM compromise is a reminder that not all critical ‘vulnerabilities’ carry a CVE.
  • We make the case that organizations should extend their vulnerability management posture to include threats like this supply chain compromise.

 

April has a way of demanding attention all at once. Deadlines loom as tax season approaches, trees and flowers awaken to coat every surface in pollen, and for many households, spring cleaning shifts from a suggestion to an unavoidable necessity. Right on schedule, Microsoft’s Patch Tuesday arrives to remind us that the threat landscape is no different, needing our attention much like our neglected lawns need that first mow. 

 

Patch Tuesday: April 14, 2026

This month’s release includes 167 CVEs, including two zero day vulnerabilities. This month’s batch includes 93 elevation of privilege and 20 remote code execution (RCE) vulnerabilities. Here are a couple vulnerabilities pulled from the list that we think would be wise to address first:

  • Microsoft SharePoint Server Spoofing Vulnerability (CVE-2026-32201): This is an improper input validation vulnerability where SharePoint fails to correctly examine data sent by the user before processing it. The server accepts malformed or specially crafted inputs in things like form fields or URL parameters that it should otherwise reject. This could lead to the access of restricted information stored on the SharePoint server, whereby the attacker could view and/or edit the content. While only having a CVSS score of 6.5, Microsoft mentions that exploitation of this CVE has been detected in the wild. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog. We recommend patching the server 2016 or 2019 impacted version, or the Microsoft SharePoint Server Subscription Edition.
  • Microsoft Defender Elevation of Privilege Vulnerability (CVE-2026-33825): This publicly disclosed elevation of privilege vulnerability in Microsoft Defender allows an attacker with access to a local, low-privilege user account to gain SYSTEM privileges. Successful exploitation allows an attacker to not only bypass security restrictions, but gives them full control of a vulnerable endpoint. Take a moment to update the Microsoft Defender Antimalware Platform, so you’re no longer at risk of exploitation. 

 

Axios compromise: A vulnerability by any other name

Vulnerability management exists because software ships with weaknesses, and weaknesses can get exploited. But not all weaknesses carry CVEs.

True, the Axios NPM compromise doesn’t fit neatly into the traditional vulnerability box. But while the vector used to introduce the malicious code differs from a typical coding error, the defender’s approach in this scenario does not.

The recent compromise introduced malicious code into a trusted library in much the same way a new commit with an unintentional flaw would, except this flaw was deliberate. Axios versions 1.14.1 and 0.30.4 contained malicious code that executes automatically on install. For a defender, the result is identical to a zero-day because a trusted component suddenly became a vector for RCE within your environment.

The good news is that many organizations already have well-established processes for exactly this situation. You check whether the affected version is in your dependency tree, assess exposure, and update accordingly.

While the goal for most vulnerabilities is to patch before you’re compromised, zero days are the obvious exception. In many ways, the Axios compromise is akin to undisclosed, active exploitation. Only in this case there isn’t a question of ‘if’ an attack has taken place. The postinstall hook executed within seconds of installation and immediately exfiltrated credentials to the attacker’s infrastructure.

This means that replacing the malicious versions with clean code is only step one. Any system identified as having installed the malicious versions should be treated as compromised, with all secrets, tokens, SSH keys, and cloud credentials rotated. This is the same posture defenders take after a confirmed exploitation of a critical RCE vulnerability, and in most cases, they should be well prepared to roll up their sleeves and tackle it.

The overarching lesson: “Does it have a CVE?” is no longer a sufficient filter for prioritization. This incident produced outcomes that are largely indistinguishable from a critical software vulnerability being actively exploited at scale—a hint of Log4J delivered by the distribution pipeline rather than the code base.

To stay ahead, defenders should consider extending their vulnerability management posture to include dependency integrity as well. Look into enforcing lockfiles, restricting postinstall scripts, and monitoring for egress from build infrastructure.

This isn’t just good hygiene, it’s the patch. And unlike most patches, it protects against the entire vector.

That’s all we have for this month’s Patch Tuesday blog. If you have questions about the vulnerabilities discussed here, drop us a line.

Blog home