April Patch Tuesday roundup: Zero day vulnerabilities and critical bugs
Summary
April's Patch Tuesday includes 167 security updates, with three particularly critical issues: a zero day (actively exploited vulnerability) in Microsoft SharePoint that allows attackers to spoof (impersonate) the service and access sensitive data, a critical SQL injection vulnerability (a type of attack where malicious code is inserted into database queries) in a SAP product, and a 9.8 CVSS score (a 0-10 severity rating) vulnerability in Windows Internet Key Exchange (IKE, a protocol for secure communications) that could let attackers run remote code. Security teams are urged to prioritize patching these actively exploited flaws in widely-used applications rather than relying solely on severity scores.
Solution / Mitigation
For the Windows IKE vulnerability (CVE-2026-33824), Microsoft recommends two temporary mitigations for admins who cannot immediately install the security update: (1) block inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE, or (2) for systems that require IKE, configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses. Microsoft notes these actions reduce attack surface but do not replace installing the security update. For SharePoint and other vulnerabilities, the source text does not explicitly describe mitigation steps beyond applying the patches.
Classification
Original source: https://www.csoonline.com/article/4158706/april-patch-tuesday-roundup-zero-day-vulnerabilities-and-critical-bugs.html
First tracked: April 15, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%