Skip to content
Auto-CTI
Back to all deep dives
ZERO DAY INITIATIVE - BLOG

The April 2026 Security Update Review

KEV MEDIUM Patch Tuesday Adobe Reader Windows elevation of privilege
The April 2026 Security Update Review

Strategic summary

The April 2026 Patch Tuesday brings a massive number of updates: Adobe fixes 61 vulnerabilities, including one actively exploited bug in Acrobat Reader. Microsoft releases 163 new CVEs, totaling 247, with an actively attacked SharePoint spoofing vulnerability. The high volume may be due to AI-generated bug reports. Organizations should urgently implement these critical patches, especially for internet-facing systems.

Key findings

  • Two actively exploited vulnerabilities: CVE-2026-32201 in Microsoft SharePoint (spoofing) and an unnamed flaw in Adobe Acrobat Reader.
  • Adobe addresses 61 CVEs across products like ColdFusion, FrameMaker, and Connect, with ColdFusion requiring deployment priority 1.
  • Microsoft's April update includes 247 CVEs, the second-largest monthly release in the company's history.
  • Eight Microsoft vulnerabilities are rated Critical, with the remainder Important or Moderate.
  • The increase in reported vulnerabilities is partly attributed to the use of AI tools.

Relevance for you

The article is a monthly patch review covering multiple elevation-of-privilege vulnerabilities in Windows kernel modules and SQL Server; Adobe Reader is flagged as actively exploited, but without specific DACH relevance or geopolitical implications.

Mentioned CVEs

Risk score

62
cvss base
65.00
kev bonus
20.00
epss bonus
10.00
poc bonus
15.00
raw before weight
110.00
industry weight
1.21
freshness factor
0.50
exploitability factor
1.00
days old
85.00
vendor mismatch penalty
0.00
consensus penalty
-5.00

Path: operational

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • VENDOR_MISMATCH Vendor not found in alert title −5
Consensus penalty:
−5.0
Total penalty:
−5.0

MITRE ATT&CK mapping

5 TTPs
Recon
Resource Dev
Persistence
Def. Evasion
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1068
Exploitation for Privilege Escalation
Privilege Escalation Multiple CVEs in Windows components (including kernel, afd.sys, Desktop Windows Manager, SQL Server, UPnP) are exploited to elevate privileges to SYSTEM-level, administrative, or SQL sysadmin privileges on local systems high llm
T1203
Exploitation for Client Execution
Execution CVE in Adobe Acrobat Reader is actively exploited in the wild against end-user systems, representing the highest-priority patch in the April 2026 release high llm
T1611
Escape to Host
Privilege Escalation Several Windows sandbox escape vulnerabilities are addressed, including bugs in Windows Push Notifications (CVE-2026-26167), AFD for Winsock, Management Services, and User Interface Core, allowing attackers to break out of sandboxed environments high llm
T1499
Endpoint Denial of Service
Impact A tampering vulnerability in WSUS allows attackers to send specially crafted packets to affect service availability and cause Denial of Service; additionally, bugs in afd.sys and Desktop Windows Manager are noted to crash affected systems medium llm
T1190
Exploit Public-Facing Application
Initial Access Adobe ColdFusion receives a deployment priority 1 patch, indicating critical vulnerabilities in the publicly accessible web application platform that could be exploited by remote attackers medium llm
ESC