Two Wormable RCEs in 163 Patches

Microsoft Just Dropped 163 Patches. Two of Them Are Wormable.

Microsoft's April Patch Tuesday addressed 163 CVEs, making it the second-largest patch release in the company's history. Eight were rated critical. One was already being exploited in the wild before the patch shipped. But the two that should have every enterprise security team working late this week are CVE-2026-33827 and CVE-2026-33824.

CVE-2026-33827 is a remote code execution flaw in the Windows TCP/IP stack. CVSS 9.8. No authentication required. No user interaction required. An attacker sends a malicious packet to a target system and gains SYSTEM-level code execution. Every Windows machine with a network connection is in scope. CVE-2026-33824 is the same severity, same score, same no-interaction requirement, but in the Windows Internet Key Exchange (IKE) service. A double-free vulnerability that lets unauthenticated remote attackers execute arbitrary code. If your environment uses IKE for VPN or IPsec tunnels, this is your Friday morning.

Then there is the SharePoint zero-day. CVE-2026-32201 is a spoofing vulnerability in SharePoint Server that Microsoft confirmed was already being exploited before the April release. The CVSS score is a modest 6.5, which is exactly the kind of number that gets deprioritized in a stack of 163. That would be a mistake. SharePoint sits at the center of document collaboration for most enterprises, and spoofing vulnerabilities in that context mean phishing at scale with legitimate infrastructure.

The volume itself is the problem. When your patch management team faces 163 items, the natural response is triage by CVSS score. The TCP/IP and IKE bugs will float to the top. The SharePoint zero-day, with its "Important" rating, gets queued behind them. Meanwhile, the attacker who already has a working exploit keeps running it. This is the structural challenge of scale: the most dangerous vulnerability in the pile is often the one that does not look dangerous enough to prioritize.

Elevation of privilege flaws accounted for 57% of this month's patches. That tells you where the attacker playbook is pointing: initial access is cheap, escalation is the bottleneck, and Microsoft just confirmed it with a triple-digit patch count focused on closing lateral movement paths.

If you have not already started patching, the priority order is clear. TCP/IP and IKE first because they are network-reachable and wormable. SharePoint next because it is already under active exploitation. Everything else by Wednesday.

Cisco Patches Four Critical Flaws in Identity Services Engine and Webex

Cisco released fixes for four critical vulnerabilities this week, two of which should concern any enterprise running Cisco identity infrastructure. CVE-2026-20147 (CVSS 9.9) is an authenticated RCE in Identity Services Engine that lets an attacker with admin credentials escalate to root and, in single-node deployments, take ISE offline entirely. CVE-2026-20184 (CVSS 9.8) is an SSO certificate validation bypass in Webex that allows an unauthenticated attacker to impersonate any user. The Webex flaw is cloud-side and requires no customer patching, but Cisco recommends uploading a new IdP SAML certificate to Control Hub. The ISE bug requires a patch. Neither has been exploited in the wild yet. The word "yet" is doing heavy lifting in that sentence.

ShinyHunters Claims 30 Million Salesforce Records from Marcus & Millichap

Ransomware group ShinyHunters posted Marcus & Millichap, a major U.S. commercial real estate firm, to its leak site this week with a claim of 30 million exfiltrated Salesforce records containing PII and internal corporate data. The ransom deadline passed April 14. The same group also claimed Amtrak in the same timeframe. The pattern matches the broader shift toward data extortion without encryption: steal everything, set a clock, publish if unpaid. The Salesforce angle matters. CRM platforms hold the most concentrated collection of customer PII in most enterprises, and they sit outside traditional endpoint security coverage. If your Salesforce instance relies on SSO alone without data loss prevention or API activity monitoring, you are carrying more risk than you think.

That is how old CVE-2009-0238 is. CISA just re-added it to the Known Exploited Vulnerabilities catalog on April 14 after confirming active exploitation in the wild. The flaw is a memory corruption bug in Microsoft Excel that was first patched in 2009. It is now being weaponized again in 2026, targeting organizations still running legacy Office versions or environments where the original patch was never applied. Federal agencies have until April 28 to remediate. The lesson is uncomfortable: vulnerabilities do not retire. If your asset inventory cannot tell you whether Excel 2003 is still running somewhere in your environment, that is a gap an attacker just proved they can exploit.

Across the DoGood network this week, patch management automation and vulnerability prioritization frameworks surged in member discussions. More on that Wednesday.

The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.

Know a CIO who needs this? Forward it — they can subscribe here.