
Microsoft Fixes 165 Vulnerabilities, Including Exploited SharePoint Zero-Day CVE-2026-32201
Key Takeaways
- Microsoft patched Defender zero-day RoguePlanet (CVE-2026-50656) after public PoC exploit.
- Patch Tuesday delivered 165 fixes including Defender vulnerability RoguePlanet.
- The flaw enables local privilege escalation to SYSTEM on Windows.
Patch Tuesday and zero-days
Microsoft’s April Patch Tuesday update corrected 165 security vulnerabilities, placing it in the trio of the largest bulletins of security published by the editor, and it also included a zero-day already being exploited, CVE-2026-32201, affecting SharePoint Server.
“An exploitation tactic based on a zero-day flaw in Windows Defender, Microsoft's default antivirus, has just been posted online”
Le Monde Informatique said the CVE-2026-32201 flaw is actively exploited and can enable spoofing by letting a pirate impersonate a Sharepoint account through incorrect data validation.

In the same April batch, Le Monde Informatique highlighted another issue to fix urgently: CVE-2026-33824 in Windows Internet Key Exchange (IKE) Service Extensions, described as critical with a CVSS 9.8 score and capable of letting an attacker execute code remotely if not patched.
Dark Reading reported that Microsoft issued an out-of-band patch for RoguePlanet, an elevation-of-privilege vulnerability in Windows Defender tracked as CVE-2026-50656, after a proof-of-concept was published by a researcher known as "Nightmare-Eclipse."
RoguePlanet and the feud
Dark Reading said RoguePlanet received a 7.8 score from Microsoft and could allow an attacker to escalate privileges on a Windows device from a basic user to the highest SYSTEM-level access, giving complete control over the device.
The outlet described how the dispute began in April when Nightmare-Eclipse published an exploit for another privilege-escalation flaw in Windows Defender, dubbed "BlueHammer" and tracked as CVE-2026-33825, out of frustration with Microsoft’s Security Response Center (MSRC).

Le Monde Informatique, meanwhile, quoted Nick Caroll of Nightwing warning that “Le paysage des menaces en avril se caractérise par des exploitations concrètes et immédiates plutôt que par de simples vulnérabilités théoriques”.
In a separate account, LinkedIn said Microsoft released Microsoft Malware Protection Engine version 1.1.26060.3008 to remediate CVE-2026-50656 and that the fix is distributed through Defender's security intelligence infrastructure rather than waiting for a traditional Patch Tuesday release.
What defenders must do
Le Monde Informatique said the CVE-2026-33824 IKE flaw can be mitigated temporarily by blocking incoming traffic on UDP 500 and 4500 for systems that do not use IKE, or by configuring firewall rules to allow UDP 500 and 4500 only from known peer addresses.
“Microsoft has released a security patch to address a Defender zero-day vulnerability known as "RoguePlanet," disclosed after the June 2026 Patch Tuesday”
For Active Directory, Le Monde Informatique highlighted CVE-2026-33826 as critical with a CVSS 8 score, and it quoted Jack Bicer of Action1 saying the vulnerability “représente une menace directe pour l'infrastructure d'identité.”
Tech Times reported that Microsoft issued an emergency update 29 days after a proof-of-concept exploit was exposed, and it said the immediate action for security teams is to confirm Microsoft Malware Protection Engine version 1.1.26060.3008 or higher is installed on every managed endpoint.
BleepingComputer added that the RoguePlanet flaw was disclosed by Nightmare Eclipse using the handle "Nightmare Eclipse" and that Microsoft released Microsoft Malware Protection Engine 1.1.26060.3008 to address CVE-2026-50656, while also noting the researcher said the exploit worked regardless of whether real time protection was on or not.
More on Technology and Science

OpenAI Sunsets ChatGPT Atlas Browser, Pivots to ChatGPT Desktop App With ChatGPT Work
13 sources compared

FTC And Five States Reach 10-Year Right-To-Repair Settlement With Deere & Company
10 sources compared

Meta Disables Ray-Ban Meta Camera After Users Tamper With Capture LED
18 sources compared

OpenAI Launches GPT-Live Voice Models With Full-Duplex Listening And Speaking
15 sources compared