CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft March and April 2026 Patch Tuesdays Address Multiple Zero-Days and Critical Flaws

First reported
Last updated
5 unique sources, 12 articles

Summary

Hide ▲

Microsoft’s multi-month Patch Tuesday campaign continues with the April 2026 release addressing 167 security vulnerabilities in Windows and related software, including two actively exploited zero-days (CVE-2026-32201 in SharePoint Server and CVE-2026-33825 in Microsoft Defender). Nearly 60% of the patched flaws are elevation-of-privilege bugs, marking the highest proportion in eight months, while eight Critical vulnerabilities were addressed, including unauthenticated remote code execution flaws in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) and secure tunneling components (CVE-2026-33827, CVSS 8.1). Following the April updates, threat actors are now exploiting two additional unpatched Microsoft Defender zero-days—RedSun and UnDefend—alongside the patched CVE-2026-33825 (BlueHammer). Exploitation activity has been observed since April 10, 2026, with RedSun and UnDefend PoCs deployed on April 16, 2026, featuring hands-on-keyboard techniques such as whoami /priv, cmdkey /list, and net group commands. Huntress confirmed real-world exploitation and took steps to isolate compromised systems to prevent post-exploitation damage. Threat actors have also been observed chaining these flaws with other vulnerabilities to achieve full endpoint control. Microsoft issued out-of-band emergency patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw enables unauthenticated attackers to gain SYSTEM privileges by forging authentication cookies, stemming from a regression in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 packages. Microsoft recommends updating to version 10.0.7 and rotating the DataProtection key ring to fully remediate. The April updates were distributed through Windows 11 cumulative updates KB5083769 (for versions 25H2/24H2) and KB5082052 (for 23H2), changing build numbers to 26200.8246 (25H2), 26100.8246 (24H2), and 22631.6936 (23H2). Windows 10 Enterprise LTSC and ESU participants received the April fixes via KB5082200, updating to build 19045.7184 (Windows 10) or 19044.7184 (Windows 10 Enterprise LTSC 2021).

Timeline

  1. 14.04.2026 20:41 7 articles · 8d ago

    Microsoft April 2026 Patch Tuesday addresses 167 flaws including two zero-days

    Adds newly observed exploitation context for Microsoft Defender zero-days: - Confirms CVE-2026-33825 (BlueHammer) was patched in April 2026 Patch Tuesday but remains a key target; exploitation activity dates to April 10, 2026, with further deployment of RedSun and UnDefend PoCs on April 16, 2026 - Documents hands-on-keyboard threat actor activity (e.g., whoami /priv, cmdkey /list, net group) during exploitation of Microsoft Defender flaws - Huntress observed exploitation of BlueHammer, RedSun, and UnDefend in compromised environments and took action to isolate affected organizations to prevent post-exploitation damage

    Show sources
    Open in new tab
  2. 10.03.2026 19:49 6 articles · 1mo ago

    Microsoft March 2026 Patch Tuesday Addresses 2 Zero-Days and 79 Flaws

    Microsoft's March 2026 Patch Tuesday addresses 84 vulnerabilities, including 2 publicly disclosed zero-day flaws. The updates fix critical vulnerabilities, including remote code execution flaws and information disclosure flaws. The patches cover a range of vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing. Notably, CVE-2026-21262 allows attackers to elevate privileges to sysadmin over a network on SQL Server 2016 and later editions. Additionally, Microsoft fixed two remote code execution bugs in Microsoft Office that can be exploited via the preview pane. A notable flaw in Microsoft Excel could allow data exfiltration via Microsoft Copilot. The updates also include patches for nine browser vulnerabilities and an out-of-band update for Windows Server 2022 to address a certificate renewal issue with Windows Hello for Business. Microsoft is changing the default behavior of Windows Autopatch to enable hotpatch security updates starting with the May 2026 Windows security update. This timeline phase is updated to reflect the corrected total of 84 vulnerabilities addressed, as confirmed by subsequent reporting.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

LSASS crash triggers reboot loops on Windows domain controllers post-April 2026 updates

Microsoft has confirmed that non-Global Catalog Windows domain controllers running April 2026 security updates (KB5082063) are entering reboot loops due to Local Security Authority Subsystem Service (LSASS) crashes during startup. The issue affects environments using Privileged Access Management (PAM) and disrupts authentication and directory services, potentially rendering domains unavailable. Affected platforms include Windows Server 2025, 2022, 23H2, 2019, and 2016. Microsoft is investigating and recommends contacting Support for Business for mitigation measures.

Open in new tab

Microsoft Defender zero-day exploits RedSun, BlueHammer, and UnDefend actively abused in the wild

Microsoft Defender is being actively abused in the wild using three proof-of-concept exploits—RedSun, BlueHammer (CVE-2026-33825), and UnDefend—released by researcher "Nightmare-Eclipse" after alleged poor responses from Microsoft Security Response Center (MSRC). RedSun and BlueHammer enable SYSTEM-level privilege escalation on fully patched Windows 10, 11, and Server 2019+ systems with Defender enabled, while UnDefend degrades Defender’s threat detection capabilities without triggering alerts. Attackers are staging binaries in low-noise directories and manually enumerating privileges before exploitation, reflecting targeted hands-on intrusions. Microsoft patched BlueHammer in April updates but has not addressed RedSun or UnDefend, which operate via separate flaws in Defender’s privileged file handling workflows.

Open in new tab

BitLocker recovery prompts triggered on Windows Server 2025 after KB5082063 update

Microsoft has confirmed that the April 2026 KB5082063 security update for Windows Server 2025 is causing two distinct issues: BitLocker recovery prompts on first reboot for systems with PCR7-bound Group Policy configurations, and installation failures marked by 0x800F0983 errors on some devices. Both issues primarily impact enterprise-managed systems and require administrative intervention—either key entry for BitLocker recovery or troubleshooting update installation. Microsoft is investigating both problems and has provided temporary workarounds, including Known Issue Rollback (KIR) for BitLocker recovery and diagnostic reviews for update installation failures. Home users are unlikely to be affected by either issue.

Open in new tab

BlueHammer Windows local privilege escalation zero-day exploit leaked

Exploit code for an unpatched Windows privilege escalation vulnerability, tracked as BlueHammer, has been publicly released by a disgruntled security researcher. The flaw enables local attackers to escalate privileges to SYSTEM or elevated administrator levels, allowing full system compromise. Microsoft has not issued a patch, classifying the issue as a zero-day. The exploit combines a TOCTOU (time-of-check to time-of-use) and path confusion, granting access to the Security Account Manager (SAM) database to extract local account password hashes. The leak follows frustration with Microsoft’s Security Response Center (MSRC) over disclosure handling, with the researcher citing insufficient response as the trigger for public disclosure. The PoC code contains reliability issues, particularly on Windows Server platforms.

Open in new tab

Google Chrome Zero-Day Exploits in Skia and V8 Engine

Google has released emergency updates for Chrome to patch two actively exploited zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910). The first is an out-of-bounds write flaw in Skia, a 2D graphics library, which could lead to browser crashes or code execution. The second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. Both vulnerabilities were discovered and patched within two days of reporting, affecting Windows, macOS, and Linux systems. The updates are rolling out to users, though it may take days or weeks to reach all users. Google has not disclosed further details about the attacks exploiting these vulnerabilities. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

Open in new tab