Microsoft launches historic patch with 169 vulnerabilities and an active explosion in SharePoint

Microsoft has published this week a package of corrections that corrects a surprising total of 169 security failures in its product catalogue, including at least one vulnerability that is already being exploited in nature. The figure makes this monthly patch one of the largest in recent company history, just behind the record that was reached in October 2025.

Of these 169 reported failures, the vast majority have been described as of high importance: 157 with severity "Important," eight as "Critical," three as "Modern," and one as "Low." As for the type of errors, the vulnerabilities that allow for scale privileges(93 cases), followed by information filtering (21), remote code execution (21), safety omissions (14), supplanting (10) and denial of service (9). The list even includes four CVE that are not from Microsoft directly but that affect related components or projects such as AMD, Node.js, Windows Secure Boot and Git for Windows.

The corrections also include updates already applied to the Edge browser based on Chromium from last month's patch, which increases the overall reach of this patch cycle. Analysts such as Satnam Narang of Tenable have pointed out that the trend of 2026 points to a worrying normality: more than a thousand CVE per year in monthly updates, with an outstanding preponderance of privilege lifting errors in recent months. To contrast this perspective and consult the official Microsoft guides you can go to your security warning center at MSRC or to the Microsoft security update guide on Microsoft Learn.

The failure that has already been linked to malicious activity in the real world is the one recorded as CVE-2026-32201, a subplanting vulnerability in Microsoft SharePoint Server that Microsoft describes as a problem of input validation. In practical terms, this allows an attacker to deceive the presentation of content or interfaces within SharePoint, which may lead to users receiving or modifying information that appears to be legitimate. Since the operation may affect the confidentiality and integrity of data but without interruption of availability, the gravity is aimed at facilitating subsequent attacks through targeted deception.

The entry of this failure into the catalogue of known exploited vulnerabilities of the US Infrastructure and Cybersecurity Agency. United States. ( CISA KEV) implies that federal agencies must mitigate the problem before a certain deadline. This inclusion is a clear indicator that security officials must accelerate the application of patches and compensatory controls in corporate and government environments.

Another issue that has attracted attention is a vulnerability of increased privileges in Microsoft Defender scored as CVE-2026-33825, publicly declared at the same time that the patch arrived. Microsoft explains that an attacker with authorized access to the system could take advantage of insufficient access controls to achieve higher privileges; however, the teams that keep Defend on are usually given the correction automatically, because the platform is continuously updated by default. In machines where Defender is disabled, weakness would not be exploitable.

This correction is related to an explosion known as "BlueHammer," whose code was published in GitHub in April 2026 by a researcher who signed as "Chaotic Eclipse" after a conflict in the process of disclosure with Microsoft. According to the available technical analysis, BlueHammer was working on the Defender's update and repair mechanism by taking advantage of Volume Shadow Copy's snapshots to expose protected log files and thus allow the reading of sensitive databases and the temporary replacement of password hashes. Although the public repository required the start of the session and since then part of the explosion ceased to function according to several researchers, the emergence of public code accelerated the need for parking.

Researchers from companies such as Cyderes and public comments from independent researchers have described how the explosion chained legitimate Windows functionalities - Cloud Files' callbacks and file blocks - to pause processes and leave sensitive material accessible at a specific time of the Defender update flow. In practice, a successful attacker could gain access to the SAM base, decipher NTLM hashes and rise to the SYSTEM level, as well as restore the original state to make detection difficult.

With the greatest potential impact on Internet-connected environments is the remote code execution vulnerability in the IKE (Internet Key Exchange) v2 service, referred to as CVE-2026-33824 and with an almost maximum CVSS score of 9.8. IKEv2 is used to negotiate safe tunnels in VPN and IPsec, and being designed to operate with unreliable networks is often exposed to external traffic in many business deployments. Security researchers have warned that the error allows a remote agent to send specially built packages and manage to run code without prior authentication, which in the worst cases could mean the complete taking of exposed systems.

Experts from detection and response companies have stressed that CSR-type vulnerabilities that do not require user interaction are particularly dangerous for Internet-accessible services, as they facilitate automatic operation and lateral movement in corporate networks. For IT equipment the recommendation that comes from the gravity of the finding is to prioritize the protection of the machines that offer IKEv2 to the outside and apply the patches with the maximum speed.

This month's avalanche of corrections also reflects a trend in which privilege lifting failures dominate the set of remediations while remote code executions have fallen proportionally. This does not mean that the risk is lower: on the contrary, a local explosion that allows safety barriers to be skipped may be the first step for more extensive and difficult to contain campaigns.

If you manage Windows systems or corporate services based on SharePoint, Defend or VPN / IPsec, it is appropriate to act now. Apply official Microsoft updates as soon as possible; in environments where the patch cannot be displayed immediately, the email with Microsoft technical notices and mitigation recommendations can be consulted at MSRC and in the update guide. For organizations that have to meet regulatory or security requirements, checking the CISA list of known exploited vulnerabilities and their correction times helps to prioritize efforts: https: / / www.cisa.gov / knowledge-exploited-vulnerabilities-catalog.

In addition to patching, access records should be reviewed, unusual behaviour monitored and privileges and network segmentation controls strengthened to limit the impact of a possible operation. Defender's automatic updates offer a practical barrier to some threats, but in-depth security remains the best defense against complex attack chains.

For those who want to deepen analysis and context, the security laboratories and specialized firms maintain technical analyses and useful contextualizations on these findings. Publications and blogs of companies such as Rapid7, Tender or Action 1 They often offer technical misgivings and practical recommendations that complement official notices.

In short, this patch cycle is a reminder that the attack surface continues to grow and that agile update management, along with practices of reduced privileges and constant visibility, are essential. This is not the time to underestimate one of these corrections: some attack entry points that, once committed, allow for escalation and movements that turn a minor incident into a serious gap.