Changeflow GovPing Data Privacy & Cybersecurity Microsoft Patches 165 Vulnerabilities Including...
Priority review Notice Added Final

Microsoft Patches 165 Vulnerabilities Including 2 Actively Exploited Zero-Days

Favicon for www.csirt.gov.it Italy CSIRT Advisories
Detected
Email

Summary

The Italian National Cybersecurity Agency (CSIRT-ITA) issued Alert AL02/260415/CSIRT-ITA reporting that Microsoft released its monthly security updates addressing 165 vulnerabilities, including two actively exploited zero-days. The first zero-day, CVE-2026-32201 in Microsoft SharePoint Server (CVSS 6.5, Spoofing), allows attackers to impersonate legitimate entities through improper input validation. The second, CVE-2026-33825 'BlueHammer' in Microsoft Defender Antimalware Platform (CVSS 7.8, Elevation of Privilege), exploits a TOCTOU race condition between file scanning and Volume Shadow Copy manipulation to achieve SYSTEM-level privileges. CSIRT-ITA recommends updating affected products via Windows Update.

Published by CSIRT-ITA on acn.gov.it . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Italy CSIRT Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 15 changes logged to date.

View original document View source feed page

What changed

Microsoft's April 2026 Patch Tuesday addressed 165 security vulnerabilities across its product portfolio, including two zero-days confirmed as actively exploited or with publicly available proof-of-concept exploits. CVE-2026-32201 (SharePoint Server) enables spoofing attacks via improper input validation, while CVE-2026-33825 'BlueHammer' (Microsoft Defender) allows local authenticated attackers to elevate privileges to SYSTEM through a race condition exploiting Volume Shadow Copy manipulation. Microsoft reinforced Access Control Lists on sensitive Defender paths and improved process validation mechanisms.

Organizations running Microsoft SharePoint Server or Microsoft Defender Antimalware Platform should prioritize patching given confirmed active exploitation of both vulnerabilities. The BlueHammer vulnerability specifically affects systems where access controls on Defender engine paths may be insufficient, potentially enabling malware to evade detection. All listed product families spanning Azure, Office, Windows OS components, and server infrastructure should be updated through standard Windows Update channels.

What to do next

  1. Update affected products through Windows Update

Archived snapshot

Apr 25, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Aggiornamenti Mensili Microsoft

**
Alert**

AL02/260415/CSIRT-ITA

Condividi
- Facebook
- Twitter
- LinkedIn
- Whatsapp

Sintesi

Microsoft ha rilasciato gli aggiornamenti di sicurezza mensili che risolvono un totale di 165 nuove vulnerabilità, di cui due di tipo 0-day.

Tipologia

  • Denial of Service
  • Elevation of Privilege
  • Information Disclosure
  • Remote Code Execution
  • Security Feature Bypass
  • Spoofing
  • Tampering

Descrizione e potenziali impatti

Nel dettaglio le vulnerabilità sfruttate attivamente o per le quali risulta disponibile in rete anche un “proof of concept”, riguardano:

  • Microsoft SharePoint Server: identificata tramite la CVE-2026-32201, di tipo “ Spoofing ” e con score CVSS v3.1 pari a 6.5, interessa le istanze Microsoft SharePoint Server ed è causata da un’inadeguata validazione dell’input (Improper Input Validation). Nel dettaglio, un attaccante potrebbe sfruttare tale vulnerabilità per impersonare un’entità legittima sui sistemi target.
  • Microsoft Defender Antimalware Platform: questo CSIRT ha analizzato e testato la CVE-2026-33825, nota con il nome di “BlueHammer”, di tipo “ Elevation of Privilege ” e con score CVSS v3.1 pari a 7.8, che interessa Microsoft Defender Antimalware Platform. In dettaglio, è stato verificato che la vulnerabilità è riconducibile a una condizione di tipo TOCTOU (Time Of Check Time Of Use) sfruttabile tramite una “ race condition ” tra il processo di scansione dei file di Microsoft Defender e la manipolazione del Volume Shadow Copy. Tale condizione può consentire l’elusione del rilevamento di payload malevoli senza alterare il comportamento percepito dall’utente. In presenza di un controllo insufficiente sui meccanismi di accesso ai percorsi e alle risorse utilizzate dal motore di Defender, un attaccante già autenticato localmente potrebbe sfruttare la vulnerabilità per elevare i propri privilegi fino al livello SYSTEM sui sistemi interessati. Gli aggiornamenti rilasciati da Microsoft hanno risolto la vulnerabilità rafforzando le ACL (Access Control Lists) sui percorsi sensibili utilizzati dalla piattaforma Antimalware, limitando l’interazione degli utenti non amministratori. Inoltre, sono stati migliorati i meccanismi di identificazione e validazione dei processi che richiedono l’interazione con i componenti principali di sicurezza.

Prodotti e versioni affette

  • .NET
  • .NET Framework
  • .NET and Visual Studio
  • .NET, .NET Framework, Visual Studio
  • Applocker Filter Driver (applockerfltr.sys)
  • Azure Logic Apps
  • Azure Monitor Agent
  • Desktop Window Manager
  • Function Discovery Service (fdwsd.dll)
  • GitHub Copilot and Visual Studio Code
  • Microsoft Brokering File System
  • Microsoft Defender
  • Microsoft Dynamics 365 (on-premises)
  • Microsoft Edge (Chromium-based)
  • Microsoft Graphics Component
  • Microsoft High Performance Compute Pack (HPC)
  • Microsoft Management Console
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office PowerPoint
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft Power Apps
  • Microsoft PowerShell
  • Microsoft Windows
  • Microsoft Windows Search Component
  • Microsoft Windows Speech
  • Remote Desktop Client
  • Role: Windows Hyper-V
  • SQL Server
  • Universal Plug and Play (upnp.dll)
  • Windows Active Directory
  • Windows Admin Center
  • Windows Advanced Rasterization Platform
  • Windows Ancillary Function Driver for WinSock
  • Windows Biometric Service
  • Windows BitLocker
  • Windows Boot Loader
  • Windows Boot Manager
  • Windows COM
  • Windows Client Side Caching driver (csc.sys)
  • Windows Cloud Files Mini Filter Driver
  • Windows Common Log File System Driver
  • Windows Container Isolation FS Filter Driver
  • Windows Cryptographic Services
  • Windows Encrypting File System (EFS)
  • Windows File Explorer
  • Windows GDI
  • Windows HTTP.sys
  • Windows Hello
  • Windows IKE Extension
  • Windows Installer
  • Windows Kerberos
  • Windows Kernel
  • Windows Kernel Memory
  • Windows LUAFV
  • Windows Local Security Authority Subsystem Service (LSASS)
  • Windows Management Services
  • Windows OLE
  • Windows Print Spooler Components
  • Windows Projected File System
  • Windows Push Notifications
  • Windows RPC API
  • Windows Recovery Environment Agent
  • Windows Redirected Drive Buffering
  • Windows Remote Desktop
  • Windows Remote Desktop Licensing Service
  • Windows Remote Procedure Call
  • Windows SSDP Service
  • Windows Sensor Data Service
  • Windows Server Update Service
  • Windows Shell
  • Windows Snipping Tool
  • Windows Speech Brokered Api
  • Windows Storage Spaces Controller
  • Windows TCP/IP
  • Windows TDI Translation Driver (tdx.sys)
  • Windows USB Print Driver
  • Windows Universal Plug and Play (UPnP) Device Host
  • Windows User Interface Core
  • Windows Virtualization-Based Security (VBS) Enclave
  • Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys)
  • Windows WalletService
  • Windows Win32K - GRFX
  • Windows Win32K - ICOMP

Azioni di mitigazione

In linea con le dichiarazioni del vendor, si raccomanda di procedere all’aggiornamento dei prodotti impattati attraverso l’apposita funzione di Windows Update.

CVE (165)

Cerca:
| CVE | POC | EXPLOITATION |
| --- | --- | --- |
| CVE-2026-33104 | - | - |
| CVE-2026-33103 | - | - |
| CVE-2026-27907 | - | - |
| CVE-2026-27906 | - | - |
| CVE-2026-27909 | - | - |
| CVE-2026-33100 | - | - |
| CVE-2026-27908 | - | - |
| CVE-2026-33101 | - | - |
| CVE-2026-20945 | - | - |
| CVE-2026-23657 | - | - |
| CVE-2026-23653 | - | - |
| CVE-2026-26143 | - | - |
| CVE-2026-27910 | - | - |
| CVE-2026-26149 | - | - |
| CVE-2026-27912 | - | - |
| CVE-2026-33119 | - | - |
| CVE-2026-27911 | - | - |
| CVE-2026-33118 | - | - |
| CVE-2026-27914 | - | - |
| CVE-2026-27913 | - | - |
| CVE-2026-27916 | - | - |
| CVE-2026-33115 | - | - |
| CVE-2026-27915 | - | - |
| CVE-2026-33114 | - | - |
| CVE-2026-27918 | - | - |
| CVE-2026-32149 | - | - |
| CVE-2026-27917 | - | - |
| CVE-2026-33116 | - | - |
| CVE-2026-27919 | - | - |
| CVE-2026-32150 | - | - |
| CVE-2026-32152 | - | - |
| CVE-2026-33120 | - | - |
| CVE-2026-32151 | - | - |
| CVE-2026-20930 | - | - |
| CVE-2026-26151 | - | - |
| CVE-2026-25184 | - | - |
| CVE-2026-26153 | - | - |
| CVE-2026-26152 | - | - |
| CVE-2026-26155 | - | - |
| CVE-2026-26154 | - | - |
| CVE-2026-26156 | - | - |
| CVE-2026-26159 | - | - |
| CVE-2026-27921 | - | - |
| CVE-2026-27920 | - | - |
| CVE-2026-27923 | - | - |
| CVE-2026-27922 | - | - |
| CVE-2026-27925 | - | - |
| CVE-2026-27924 | - | - |
| CVE-2026-27927 | - | - |
| CVE-2026-32158 | - | - |
| CVE-2026-27926 | - | - |
| CVE-2026-32157 | - | - |
| CVE-2026-27929 | - | - |
| CVE-2026-32159 | - | - |
| CVE-2026-27928 | - | - |
| CVE-2026-32154 | - | - |
| CVE-2026-32153 | - | - |
| CVE-2026-32156 | - | - |
| CVE-2026-20806 | - | - |
| CVE-2026-20928 | - | - |
| CVE-2026-32155 | - | - |
| CVE-2026-33096 | - | - |
| CVE-2026-32160 | - | - |
| CVE-2026-33095 | - | - |
| CVE-2026-33098 | - | - |
| CVE-2026-32163 | - | - |
| CVE-2026-32162 | - | - |
| CVE-2026-26160 | - | - |
| CVE-2026-26162 | - | - |
| CVE-2026-26161 | - | - |
| CVE-2026-26163 | - | - |
| CVE-2026-26166 | - | - |
| CVE-2026-26165 | - | - |
| CVE-2026-26168 | - | - |
| CVE-2026-26167 | - | - |
| CVE-2026-27930 | - | - |
| CVE-2026-26169 | - | - |
| CVE-2026-27931 | - | - |
| CVE-2026-32202 | - | - |
| CVE-2026-32168 | - | - |
| CVE-2026-32201 | - | Presente |
| CVE-2026-32203 | - | - |
| CVE-2026-32165 | - | - |
| CVE-2026-32164 | - | - |
| CVE-2026-33099 | - | - |
| CVE-2026-32167 | - | - |
| CVE-2026-32200 | - | - |
| CVE-2026-32171 | - | - |
| CVE-2026-26171 | - | - |
| CVE-2026-26170 | - | - |
| CVE-2026-26173 | - | - |
| CVE-2026-26172 | - | - |
| CVE-2026-26175 | - | - |
| CVE-2026-26174 | - | - |
| CVE-2026-26177 | - | - |
| CVE-2026-26176 | - | - |
| CVE-2026-26179 | - | - |
| CVE-2026-26178 | - | - |
| CVE-2026-33827 | - | - |
| CVE-2026-33826 | - | - |
| CVE-2026-33829 | - | - |
| CVE-2026-32217 | - | - |
| CVE-2026-32216 | - | - |
| CVE-2026-33822 | - | - |
| CVE-2026-32219 | - | - |
| CVE-2026-33825 | Presente | Presente |
| CVE-2026-32218 | - | - |
| CVE-2026-33824 | - | - |
| CVE-2026-32212 | - | - |
| CVE-2026-32215 | - | - |
| CVE-2026-32214 | - | - |
| CVE-2026-32176 | - | - |
| CVE-2026-32178 | - | - |
| CVE-2026-32183 | - | - |
| CVE-2026-32184 | - | - |
| CVE-2026-26180 | - | - |
| CVE-2026-32181 | - | - |
| CVE-2026-26182 | - | - |
| CVE-2026-26181 | - | - |
| CVE-2026-26184 | - | - |
| CVE-2026-26183 | - | - |
| CVE-2026-0390 | - | - |
| CVE-2026-32224 | - | - |
| CVE-2026-32223 | - | - |
| CVE-2026-32069 | - | - |
| CVE-2026-32226 | - | - |
| CVE-2026-32225 | - | - |
| CVE-2026-32220 | - | - |
| CVE-2026-32189 | - | - |
| CVE-2026-32222 | - | - |
| CVE-2026-32068 | - | - |
| CVE-2026-32188 | - | - |
| CVE-2026-32221 | - | - |
| CVE-2026-32073 | - | - |
| CVE-2026-32072 | - | - |
| CVE-2026-32075 | - | - |
| CVE-2026-32196 | Presente | - |
| CVE-2026-32195 | - | - |
| CVE-2026-32074 | - | - |
| CVE-2026-32190 | - | - |
| CVE-2026-32071 | - | - |
| CVE-2026-32192 | - | - |
| CVE-2026-32070 | - | - |
| CVE-2026-32077 | - | - |
| CVE-2026-32198 | - | - |
| CVE-2026-32076 | - | - |
| CVE-2026-32197 | - | - |
| CVE-2026-32079 | - | - |
| CVE-2026-32078 | - | - |
| CVE-2026-32199 | - | - |
| CVE-2026-32084 | - | - |
| CVE-2026-32083 | - | - |
| CVE-2026-32086 | - | - |
| CVE-2026-32085 | - | - |
| CVE-2026-32080 | - | - |
| CVE-2026-32082 | - | - |
| CVE-2026-32081 | - | - |
| CVE-2026-23670 | - | - |
| CVE-2026-32088 | - | - |
| CVE-2026-32087 | - | - |
| CVE-2026-32089 | - | - |
| CVE-2026-32091 | - | - |
| CVE-2026-32090 | - | - |
| CVE-2026-32093 | - | - |
| CVE-2026-23666 | - | - |

Riferimenti (2)

  1. https://msrc.microsoft.com/update-guide/releaseNote/2026-apr
  2. https://msrc.microsoft.com/update-guide

Change log

Versione Note Data
1.0 Pubblicato il 15-04-2026 15/04/2026
1.1 Aggiornata la sezione "CVE" con presenza PoC per la CVE-2026-32196 17/04/2026
1.2 Aggiornata la sezione "CVE" per rilevato sfruttamento della CVE-2026-33825 23/04/2026

Impatto sistemico

Critico (76.66)

Argomenti

Data pubblicazione

15/04/26 ore 11:38

Data Ultimo Aggiornamento

23/04/26 ore 15:55

Related changes

Favicon for www.csirt.gov.it GitLab CE/EE Patches 11 Vulnerabilities Including 3 High Severity
Priority review Apr 25, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity
Favicon for www.csirt.gov.it Italy CSIRT Advisories: Spring Security Vulnerabilities Fixed, 1 Critical
Priority review Apr 25, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity
Favicon for www.csirt.gov.it FIRESTARTER Backdoor Exploiting Cisco ASA and FTD Zero-Days (AL01/250926)
Priority review Apr 24, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity

Get daily alerts for Italy CSIRT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.csirt.gov.it
Italy CSIRT Advisories csirt.gov.it/contenuti
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CSIRT-ITA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CSIRT-ITA
Instrument
Notice
Branch
Executive
Source language
it
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies
Industry sector
5112 Software & Technology
Activity scope
Security vulnerability remediation Software patching Endpoint protection
Geographic scope
IT IT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Software & Technology

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 500 Consumer Protection 141 Courts & Legal 635 Data Privacy & Cybersecurity 150 Defense & National Security 52 Education 64 Energy 138 Environment 170 Gaming 2 Government & Legislation 524 Healthcare 15 Healthcare & Life Sciences 402 Immigration 11 Insurance 90 Labor & Employment 193 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 175 Tax 117 Telecom & Technology 56 Trade & Sanctions 169 Transportation 130

Get alerts for this source

We'll email you when Italy CSIRT Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!