The Scale of April's Patch Cycle
April's release addresses 134 vulnerabilities in total — an above-average cycle volume — including 11 rated Critical, 118 Important, and 5 Moderate or Low. Of those, 3 were publicly known before Microsoft issued fixes, and 2 had been actively exploited in the wild. Those two zero-days — the LDAP flaw and a SharePoint server-side execution vulnerability — are what make this cycle genuinely dangerous rather than merely large.
The volume alone does not tell the story. What matters is the character of the leading vulnerability. LDAP is not an obscure protocol or a niche product feature. It is the protocol that underlies Active Directory authentication in virtually every Windows enterprise environment on the planet. You cannot disable it. You cannot route around it. The only fix is the patch.
Top Priority: CVE-2026-1847 — Windows LDAP Remote Code Execution
CVE-2026-1847 is a heap overflow vulnerability in the Windows implementation of LDAP. An unauthenticated attacker on the same network as a target Windows Server can send a specially crafted LDAP request that triggers the overflow and allows arbitrary code execution in the context of the LDAP service (which runs with SYSTEM privileges on domain controllers).
The wormable nature of this vulnerability — meaning that a compromised system can automatically exploit adjacent systems without human intervention — creates potential for rapid, automated propagation across Windows environments. This is reminiscent of EternalBlue (MS17-010), the NSA-developed exploit that powered WannaCry and NotPetya in 2017.
Key facts:
- CVSS Base Score: 9.8 (Critical)
- Authentication: None required
- User interaction: None required
- Scope: Changed (attacker can impact resources beyond the vulnerable component)
- Affects: All Windows Server versions from 2012 R2 through 2025, plus Windows 10/11 client machines acting as LDAP servers
- CISA KEV: Added 9 April 2026
Second Priority: CVE-2026-1923 — Windows Hyper-V Escape
CVE-2026-1923 is a virtual machine escape vulnerability in Windows Hyper-V. An attacker with a compromised virtual machine guest can exploit this vulnerability to escape the VM sandbox and execute code in the context of the Hyper-V host. CVSS score: 8.8. Particularly relevant for organisations running Hyper-V-based virtualisation infrastructure, including Azure Stack HCI deployments.
Third Priority: CVE-2026-1956 — Microsoft SharePoint Server RCE (Authenticated)
An authenticated remote code execution vulnerability in SharePoint Server. While requiring authentication, the low privilege level required (any valid SharePoint user) and the widespread deployment of SharePoint across Australian enterprises makes this a significant priority. CVSS score: 8.0. In-the-wild exploitation has been confirmed.
The Rest of the April Field
Beyond the three headline vulnerabilities, April's cycle contains several patches that warrant attention for specific environments. Security teams should be aware of CVE-2026-1889 — a remote code execution flaw in Windows DNS Server (CVSS 8.1) — because DNS servers are frequently co-located with domain controllers, meaning an organisation that patches AD/LDAP but overlooks DNS on the same host remains exposed. CVE-2026-1901 (Windows RDP RCE, CVSS 8.8) matters because RDP exposure to the internet remains a persistent problem in Australian organisations despite years of warnings.
For cloud-heavy environments, CVE-2026-1945 (Azure Kubernetes Service privilege escalation, CVSS 8.8) should be reviewed by any organisation running AKS workloads. CVE-2026-1912 — an Exchange Server privilege escalation to remote code execution chain — rounds out the critical priorities for on-premises environments still running Exchange, a population that remains larger than many assume despite the migration to Exchange Online. The full Critical list for reference:
| CVE | Component | CVSS | Status |
|---|---|---|---|
| CVE-2026-1847 | Windows LDAP RCE | 9.8 | Exploited in wild |
| CVE-2026-1923 | Hyper-V Guest Escape | 8.8 | |
| CVE-2026-1956 | SharePoint Server RCE | 8.0 | Exploited in wild |
| CVE-2026-1889 | Windows DNS Server RCE | 8.1 | |
| CVE-2026-1901 | Windows RDP RCE | 8.8 | |
| CVE-2026-1912 | Exchange Server EoP→RCE | 8.0 | |
| CVE-2026-1934 | Print Spooler EoP | 7.8 | |
| CVE-2026-1945 | Azure Kubernetes Privilege Escalation | 8.8 | |
| CVE-2026-1967 | Windows Kernel EoP | 7.8 | |
| CVE-2026-1978 | .NET Deserialization RCE | 8.1 | |
| CVE-2026-1989 | Microsoft Teams RCE | 8.8 |
Patching Prioritisation: A Practical Framework
The instinctive response to a 134-vulnerability release is to apply everything simultaneously, which in practice means applying nothing on time. A tiered approach — guided by exploitability and asset criticality rather than CVSS score alone — is the operationally realistic path.
Emergency tier (within 24 hours): Domain controllers running LDAP need to be patched before anything else. CVE-2026-1847 is wormable against Active Directory infrastructure, and domain controllers are the crown jewels of Windows enterprise environments. If your change management process cannot accommodate a 24-hour emergency change window for a CVSS 9.8 wormable zero-day, that process needs to be revisited. Apply also to any SharePoint Server instances accessible from the internet or by external users — CVE-2026-1956 is already being exploited, and authenticated access means any compromised or phished account creates an exploitation path.
Urgent tier (within 72 hours): Extend CVE-2026-1847 patching to all remaining Windows Server instances. Then work through CVE-2026-1923 (all Hyper-V hosts), CVE-2026-1889 (DNS servers, particularly those co-located with domain controllers), CVE-2026-1901 (any systems with RDP enabled — which should also prompt a review of whether that RDP exposure is necessary), and CVE-2026-1912 (on-premises Exchange Server).
Standard cycle (within 30 days): The remaining Important-rated vulnerabilities can move through your normal patch deployment process, accelerated where compensating controls are weak.
On known issues: Microsoft has flagged that KB5034567 (Windows Server 2022) may cause NIC teaming failures in some configurations, with a registry workaround available and an out-of-band fix expected by April 15. KB5034589 (Windows 11 24H2) causes connectivity issues with certain Intel Wi-Fi adapters — an updated driver from Intel addresses this. Neither issue should be used to justify delaying the LDAP patch. Apply the workarounds. Take the security update.
CyberSec.au Assessment
CVE-2026-1847 is the most significant Windows vulnerability since EternalBlue in terms of its potential for automated, widespread exploitation. LDAP is not a service that can be selectively disabled in Active Directory environments — it is the foundational protocol for directory services. Every Windows Server running Active Directory is exposed.
Australian organisations that experienced the WannaCry and NotPetya incidents in 2017 because they failed to patch MS17-010 promptly should treat this as a direct parallel. The window between vulnerability disclosure and weaponised exploit development has compressed dramatically in the years since — expect reliable public exploit code within days, not weeks.
Not Sure if Your Patch Management Process is Adequate?
Get a comprehensive security assessment including patch management maturity evaluation and vulnerability exposure analysis.
Start Free Security Assessment