April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More
Critical SAP, Adobe, Fortinet, and Microsoft flaws disclosed in April Patch Tuesday, enabling RCE and data theft risks.
167 Flaws, Two Zero-Days, One Very Busy Week
Microsoft dropped its April 2026 Patch Tuesday with fixes for 167 vulnerabilities, including two zero-days. One of them, a SharePoint Server spoofing flaw (CVE-2026-32201), is already being actively exploited in the wild. The other, a Microsoft Defender privilege escalation bug (CVE-2026-33825), has a public proof of concept floating around.
This is not just a Microsoft story. SAP published 19 security notes including a critical ABAP vulnerability. Fortinet patched critical flaws in FortiOS and FortiProxy. Adobe pushed fixes for Acrobat, Reader, and ColdFusion. The common theme: remote code execution risks across the board.
The Worst of the Bunch
The highest rated flaw this month scores 9.8 on the CVSS scale. CVE-2026-33824 targets the Windows Internet Key Exchange (IKE) Service and allows remote code execution with zero authentication. Low complexity, no privileges required. An attacker just needs to send crafted packets to a Windows machine with IKE version 2 enabled.
The actively exploited SharePoint hole is arguably more dangerous in practice. SharePoint instances are often internal document stores filled with sensitive data. An attacker who gets in can steal documents, replace legitimate files with weaponized versions, and move laterally across the organization. This is exactly the kind of attack path that ransomware groups love.
What This Means for WAF Operators
When vendors like Microsoft, SAP, Fortinet, and Adobe all ship critical patches in the same week, the attack surface expands faster than most teams can patch. This is where a properly configured Web Application Firewall earns its keep. Solutions like Cloudflare, Imperva, AWS WAF, and F5 Advanced WAF can block exploit attempts targeting known vulnerability patterns while your team catches up on patches.
The SharePoint and IKE vulnerabilities highlight why relying solely on patching is a losing strategy. Virtual patching through WAF rules buys critical time.
WAFplanet Take
167 flaws in one batch is the second largest Patch Tuesday ever. That is not a trend you want to see. The fact that attackers are already exploiting SharePoint before the patch even lands tells you everything about the current threat tempo. If your web applications sit behind nothing but hope and a quarterly patching schedule, this is your wake-up call. Compare WAF providers and get layered defense in place before the next wave hits.
