The April 2026 patch cycle brought together several important developments across the security landscape. Microsoft released a large Patch Tuesday update, SAP published its monthly Security Patch Day notes, Fortinet issued a broad set of advisories, and CISA added six more vulnerabilities to its Known Exploited Vulnerabilities catalog.
Taken together, these updates give a useful picture of where defenders need to focus right now: internet-facing infrastructure, management platforms, privilege escalation bugs, and software that sits at the center of enterprise operations.
Start with the KEV catalog
The most urgent signal this month came from CISA's KEV catalog. When a vulnerability is added to KEV, it means there is evidence it is being exploited in real attacks. That makes it more than a theoretical risk.
CISA added six vulnerabilities:
- CVE-2026-21643 in Fortinet FortiClient EMS — an SQL injection vulnerability that could allow an unauthenticated attacker to execute unauthorized code or commands through crafted HTTP requests
- CVE-2020-9715 in Adobe Acrobat Reader — a use-after-free bug that could lead to remote code execution
- CVE-2023-36424 in the Windows Common Log File System Driver — which could allow privilege escalation
- CVE-2023-21529 in Microsoft Exchange Server — a deserialization issue that could allow authenticated remote code execution
- CVE-2025-60710 in Host Process for Windows Tasks — a local privilege escalation vulnerability
- CVE-2012-1854 in Microsoft VBA — an insecure library loading issue that could result in remote code execution
The most important of these is probably CVE-2026-21643 in FortiClient EMS. It affects a security management product, which makes it especially sensitive. Reports said exploitation attempts had been seen since March 24, 2026, and CISA set an accelerated remediation deadline for that flaw.
The Exchange vulnerability, CVE-2023-21529, also deserves close attention. Microsoft said a threat actor it tracks as Storm-1175 has been using it to deliver Medusa ransomware. That turns it from a patching concern into an active operational threat.
The older entries in the KEV list are also worth noting. A 2012 VBA issue and a 2020 Acrobat Reader flaw are reminders that attackers still succeed with vulnerabilities many organizations assume are long behind them.
Microsoft's April Patch Tuesday: the mix matters more than the count
Microsoft's April release included:
- 93 elevation of privilege vulnerabilities
- 20 remote code execution vulnerabilities
- 21 information disclosure vulnerabilities
- 13 security feature bypass vulnerabilities
- 10 denial of service vulnerabilities
- 9 spoofing vulnerabilities
It also included two zero-days: one actively exploited and one publicly disclosed.
CVE-2026-32201: SharePoint zero-day under active exploitation
The actively exploited zero-day was CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability.
Microsoft said improper input validation in SharePoint could allow an unauthorized attacker to perform spoofing over a network. A successful attacker could view sensitive information and make changes to disclosed information.
Because this affects SharePoint, the risk is higher than the word "spoofing" might suggest at first glance. SharePoint often sits in a trusted role inside the enterprise and can hold sensitive business data. If it is internet-facing, it should be patched quickly.
CVE-2026-33825: Publicly disclosed Defender privilege escalation
The second zero-day was CVE-2026-33825, a Microsoft Defender elevation of privilege vulnerability.
Microsoft fixed it in Microsoft Defender Antimalware Platform version 4.18.26050.3011. The bug could allow SYSTEM-level privileges, which makes it especially relevant in post-compromise scenarios. Even though Defender updates often arrive automatically, security teams should still verify that the platform update has actually been applied across their environment.
Office vulnerabilities remain a practical risk
Microsoft also fixed multiple remote code execution vulnerabilities in Microsoft Office, including flaws in Word and Excel.
These matter because they can be triggered in very familiar ways: by opening a malicious file, or in some cases through the preview pane alone. That makes them especially relevant for email-heavy organizations. If users regularly receive attachments from outside the company, Office updates should be treated as a priority and not left for the next maintenance window.
Fortinet had a broad and important advisory set
Fortinet's April 14 advisories covered multiple products, including FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, and related cloud offerings.
A few stood out:
- CVE-2026-39808: OS command injection through an API endpoint in FortiSandbox, rated Critical
- CVE-2025-68649: Path traversal in the CLI affecting FortiAnalyzer and FortiManager
- CVE-2026-39813: Unauthenticated authentication bypass and privilege escalation in FortiSandbox
- CVE-2026-22828: Heap-based buffer overflow in the oftpd daemon affecting FortiAnalyzer Cloud and FortiManager Cloud
There were also several medium-severity issues involving XSS, path traversal, credential disclosure, and SQL injection.
The important point here is not just the number of Fortinet advisories. It is the spread. These vulnerabilities affect management systems, security appliances, and analysis platforms — products that security teams often trust to monitor and control the rest of the environment. When those systems are compromised, the blast radius can extend far beyond the device itself.
SAP's patch day included one especially serious issue
SAP's April 14 Security Patch Day included 19 new security notes and 1 update to a previously released note.
The most critical item was CVE-2026-27681 in SAP Business Planning and Consolidation and SAP Business Warehouse — an SQL injection vulnerability with a CVSS score of 9.9. SAP customers should treat this one seriously right away, because it affects core enterprise systems tied to financial and operational data.
Other SAP notes included:
- Missing authorization checks in SAP ERP, SAP S/4HANA, and various OData services
- Information disclosure issues in SAP HANA Cockpit and SAP Human Capital Management
- Code injection in SAP NetWeaver Application Server Java
- Open redirect and XSS issues in SAP NetWeaver and other SAP products
The pattern here is familiar: access control weaknesses, injection flaws, and information exposure in large business platforms.
What this month shows
A few themes stand out from this patch cycle.
Management and control-plane software remains a major target. FortiClient EMS, SharePoint, Exchange, SAP platforms, and Fortinet security products all sit in high-value positions. Attackers are going after systems that give them leverage over the wider environment.
Privilege escalation still plays a major role. Microsoft's numbers alone show how common these bugs are. Even when they are not the initial entry point, they are often the next step after access is gained.
Older vulnerabilities are still active enough to matter. The KEV additions included bugs from 2012 and 2020. That is a useful reminder that patching gaps tend to persist longer than most organizations expect.
Patch priority should be based on exposure and exploitation, not just severity scores. A medium or high-severity vulnerability under active exploitation may matter more than a critical issue in a product you do not expose or barely use.
A practical patching order
For most enterprise environments, a sensible priority order for April would look like this:
- KEV-listed vulnerabilities, especially Fortinet FortiClient EMS and Microsoft Exchange
- Internet-facing SharePoint systems (CVE-2026-32201)
- Microsoft Defender platform updates (CVE-2026-33825)
- Microsoft Office across user endpoints
- Fortinet management and security infrastructure
- SAP systems, especially if the affected modules are in use
- The remaining Windows and platform updates from Patch Tuesday
Sources: - Fortinet PSIRT Advisories - SAP Security Notes — April 2026 - Microsoft Security Update Guide