Live Threats
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
View All
Microsoft April 2026 Patch Tuesday: 147 CVEs, 3 Zero-Days Fixed
Security News/Issue #17 — April 14 – April 20, 2026
PATCH UPDATECRITICALCVE-2026-2891CVE-2026-2944CVE-2026-3012

Microsoft April 2026 Patch Tuesday: 147 CVEs, 3 Zero-Days Fixed

Published April 17, 2026
6 min read
Source: Microsoft Security Response Center
SHARE:
Affected Systems
Windows 10/11Windows Server 2019/2022Microsoft Office 365Exchange Server 2019Azure Active Directory
Executive Summary

Microsoft's April Patch Tuesday addressed 147 vulnerabilities across Windows, Office, Azure, and Exchange Server. Three zero-days were patched — all confirmed exploited in the wild. Prioritize these patches this week.

April Patch Tuesday Overview

Microsoft released its April 2026 Patch Tuesday security updates on April 14, 2026, addressing a total of 147 Common Vulnerabilities and Exposures (CVEs) across its product portfolio. This is one of the largest monthly patch releases in recent history. Of the 147 CVEs, 23 are rated Critical, 118 are rated Important, and 6 are rated Moderate. Three vulnerabilities are confirmed zero-days — meaning they were being actively exploited before Microsoft released the fix.

Zero-Day #1: CVE-2026-2891 — Windows CLFS Elevation of Privilege

The most urgently exploited zero-day this month is CVE-2026-2891, a privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. This vulnerability allows a locally authenticated attacker to elevate their privileges to SYSTEM level, giving them complete control over the affected machine. Multiple ransomware groups — including a successor to the LockBit operation — are actively using this vulnerability as part of their post-exploitation toolkit. Once attackers gain initial access through phishing or another vector, they use this flaw to escalate privileges before deploying ransomware. This affects all supported versions of Windows 10, Windows 11, and Windows Server.

Zero-Day #2: CVE-2026-2944 — Microsoft Office Remote Code Execution

CVE-2026-2944 is a critical remote code execution vulnerability in Microsoft Office that can be triggered when a user opens a specially crafted Office document. The vulnerability exists in the way Office processes certain embedded objects and does not require macros to be enabled. Attackers are distributing malicious Word and Excel documents via phishing emails. Simply opening the document is sufficient to trigger code execution with the privileges of the logged-in user. This affects Microsoft Office 2019, Office 2021, and Microsoft 365 Apps for Enterprise. Microsoft has released patches and also published a workaround involving Protected View settings.

Zero-Day #3: CVE-2026-3012 — Windows DNS Server Spoofing

CVE-2026-3012 is a DNS spoofing vulnerability in Windows DNS Server that allows an unauthenticated attacker on the same network to intercept and manipulate DNS responses. This can be used to redirect users to malicious websites, intercept credentials, or perform man-in-the-middle attacks. While this requires network adjacency (the attacker must be on the same network segment), it is particularly dangerous in environments with guest Wi-Fi networks or where contractors have network access. This affects Windows Server 2019 and 2022 running the DNS Server role.

Other Notable Patches This Month

Beyond the three zero-days, several other patches deserve priority attention. Exchange Server received fixes for two Critical remote code execution vulnerabilities that could allow unauthenticated attackers to execute code on the mail server. Azure Active Directory Connect received a patch for a privilege escalation flaw. Windows Hyper-V received fixes for two guest-to-host escape vulnerabilities. Microsoft also patched 14 vulnerabilities in the Windows TCP/IP stack, several of which are rated Critical.

Deployment Recommendations

For organizations using Windows Update or Microsoft Update, these patches will be delivered automatically if automatic updates are enabled. For organizations managing updates via WSUS, SCCM, or Intune, deploy the April updates to all endpoints within 72 hours, prioritizing internet-facing systems and servers. Test in a staging environment first if your organization requires it, but do not let testing delays push deployment beyond one week. For Exchange Server, apply the April Cumulative Update and follow Microsoft's documented update procedures.

Key Takeaways & Action Items
  • Deploy April Patch Tuesday updates to all Windows systems within 72 hours
  • Prioritize CVE-2026-2891 (CLFS elevation of privilege) — actively used by ransomware groups
  • CVE-2026-2944 affects all Office versions including Microsoft 365 — patch or apply workaround immediately
  • Exchange Server administrators should apply the Cumulative Update before end of week
  • Enable Windows Update on all endpoints if not already managed via WSUS or Intune
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #17: April 14 – April 20, 2026
PREVIOUS ARTICLE
HHS Ramps Up HIPAA Enforcement: 40% Increase in Q1 2026 Actions
NEXT ARTICLE
Hackers Are Logging Into Fortinet Firewalls Right Now — No Password Required
Talk with Us