Overview

Multiple vendors, including SAP, Adobe, and Microsoft, have released security updates as part of April 2026 Patch Tuesday, addressing a combined 242 vulnerabilities across a broad range of enterprise and end-user products.

Several of the vulnerabilities allow for remote code execution, elevation of privilege, security feature bypass, information disclosure, spoofing, and denial of service. Of particular concern, Microsoft has confirmed two zero-day vulnerabilities addressed this month; one actively exploited in attacks and one publicly disclosed.

Failure to apply these updates in a timely manner may result in system compromise, privilege escalation, data exposure, and disruption to business operations.

 

Vulnerability Summary

  • Total Vulnerabilities: 242
  • Critical Severity: 14
  • Actively Exploited Zero-Days: 1 (Microsoft)
  • Publicly Disclosed Zero-Days: 1 (Microsoft)

 

Vendor Breakdown

Microsoft

Microsoft has released security updates for 167 vulnerabilities, including 8 critical-severity issues, 7 of which are remote code execution flaws and one a denial of service vulnerability. This release is the highest priority due to the presence of two zero-day vulnerabilities.

The actively exploited zero-day:

  • CVE-2026-32201 (CVSS 6.5 Medium) – Microsoft SharePoint Server Spoofing Vulnerability

The publicly disclosed zero-day:

  • CVE-2026-33825 (CVSS 7.8 High) – Microsoft Defender Elevation of Privilege Vulnerability (grants SYSTEM privileges)

Microsoft has also addressed multiple remote code execution vulnerabilities in Microsoft Office (Word and Excel), exploitable via the preview pane or by opening malicious documents. Users who regularly handle email attachments should prioritise patching Microsoft Office as soon as possible.

SAP

SAP has released 20 new and updated security notes addressing vulnerabilities across more than a dozen enterprise products. Notable vulnerabilities include:

  • CVE-2026-27681 (CVSS 9.9 High) – SQL Injection in Business Planning and Consolidation / Business Warehouse
  • CVE-2026-34256 (CVSS 7.1 High) – Missing Authorization Check in ERP and S/4HANA

The remaining notes address 16 medium-severity issues covering information disclosure, denial of service, XSS, code injection, and cross-site redirection, along with 2 low-severity code injection bugs in NetWeaver and Landscape Transformation.

At the time of reporting, there is no known active exploitation of these SAP vulnerabilities.

Adobe

Adobe has released security updates for 55 vulnerabilities across 11 products. The majority of advisories carry a priority rating of 3, indicating low exploitation risk. However, an advisory covering five critical ColdFusion vulnerabilities carries a priority rating of 1, reflecting the product’s history of being actively targeted. The ColdFusion flaws allow for security feature bypass, arbitrary file read, and remote code execution. Critical code execution vulnerabilities were also addressed in Acrobat Reader, InDesign, InCopy, FrameMaker, Connect, Bridge, Photoshop, and Illustrator. Important-severity issues, including code execution, denial of service, and privilege escalation, were patched in Experience Manager Screens and the DNG SDK.

Separately, Adobe recently patched CVE-2026-34621 (CVSS 8.6 High), an Acrobat and Reader zero-day reported to have been exploited for several months prior to the patch. CISA has also flagged active exploitation of the older Acrobat and Reader vulnerability CVE-2020-9715 (CVSS 7.8 High).

At the time of reporting, Adobe has confirmed no in-the-wild exploitation of the vulnerabilities addressed in this month’s Patch Tuesday release.

 

Affected Devices

Microsoft

  • Windows 10 All supported editions prior to the April 2026 updates (KB5082200)
  • Windows 11 All supported editions prior to the April 2026 updates (KB5083769 / KB5082052)
  • Windows Server All supported versions prior to the April 2026 updates
  • Microsoft Office / Microsoft 365 Apps All supported versions prior to the April 2026 updates
  • Microsoft SharePoint Server All supported versions prior to the April 2026 updates
  • Microsoft Defender Systems running Antimalware Platform versions prior to 4.18.26050.3011

SAP

  • SAP Business Planning and Consolidation All supported versions prior to the April 2026 security notes
  • SAP Business Warehouse All supported versions prior to the April 2026 security notes
  • SAP ERP All supported versions prior to the April 2026 security notes
  • SAP S/4HANA All supported on-premise versions prior to the April 2026 security notes
  • SAP BusinessObjects and Business Analytics All supported versions prior to the April 2026 security notes
  • SAP NetWeaver All supported versions prior to the April 2026 security notes
  • SAP HANA Cockpit and HANA Database Explorer All supported versions prior to the April 2026 security notes
  • SAP Supplier Relationship Management All supported versions prior to the April 2026 security notes
  • SAP Content Management, Material Master Application, and S4CORE All supported versions prior to the April 2026 security notes

Adobe

The following Adobe products are affected in all versions prior to the April 2026 security updates:

  • Adobe ColdFusion
  • Adobe Acrobat Reader
  • Adobe InDesign
  • Adobe InCopy
  • Adobe FrameMaker
  • Adobe Connect
  • Adobe Bridge
  • Adobe Photoshop
  • Adobe Illustrator
  • Adobe Experience Manager Screens
  • Adobe DNG SDK

 

Recommended Remediations

ctrl:cyber strongly recommend the following actions;

Microsoft

Given the presence of two zero-days, including one under active exploitation, Microsoft updates should be treated as the highest priority this cycle.

  • Apply the April 2026 cumulative updates to all applicable assets in accordance with intenal patching policy.
  • Ensure Microsoft Defender Antimalware Platform is updated to version 4.18.26050.3011 or later to address CVE-2026-33825 (CVSS 7.8); this update deploys automatically but manual verification is recommended via Windows Security > Virus & Threat Protection > Protection Updates
  • Prioritise patching Microsoft Office / Microsoft 365 Apps across all endpoints in accordance with internal patching policy, particularly on systems where users regularly open email attachments or work with externally sourced documents, due to the remote code execution risk exploitable via the preview pane

SAP

While no active exploitation has been observed, CVE-2026-27681 (CVSS 9.9) in Business Planning and Consolidation and Business Warehouse represents significant risk to financial data integrity and should be treated with urgency.

  • Apply all April 2026 SAP security notes in accordance with internal patching policy, prioritising CVE-2026-27681 (CVSS 9.9) in BPC and BW environments
  • Review access controls for the affected upload functionality in BPC and BW pending patch deployment, and consider restricting access to low-privileged accounts where feasible
  • Apply the security note addressing CVE-2026-34256 (CVSS 7.1) in ERP and S/4HANA to prevent unauthorised ABAP program execution

Adobe

Priority should be given to ColdFusion environments and any systems running Acrobat Reader given the recent zero-day disclosure and CISA advisory.

  • Patch Adobe ColdFusion immediately across all instances in accordance with internal patching policy; this product carries a priority rating of 1 and has a documented history of active exploitation
  • Apply the out-of-band patch for CVE-2026-34621 (CVSS 8.6) in Acrobat and Reader if not already completed, as this vulnerability is reported to have been exploited for several months
  • Apply April 2026 security updates to all remaining affected Adobe products in accordance with internal patching policy, prioritising those used in document-heavy or externally facing workflows

Sources;

BleepingComputer (Microsoft focused)
SAP Security Bulletin
Adobe Security Bulletin