Microsoft Patch Tuesday April 2026: Critical Vulnerabilities, RDP and Secure Boot Zero-Days Impacting Windows Systems

The April 2026 edition of Patch Tuesday represents a watershed moment in enterprise cybersecurity, with Microsoft addressing a record-breaking 167 vulnerabilities across its ecosystem. This release is distinguished by the presence of 11 Critical-rated vulnerabilities and 2 actively exploited zero-days, both of which have been publicly disclosed and are under active investigation by the global security community. The urgency of this cycle is further amplified by the impending expiration of legacy Secure Boot certificates on June 26, 2026, which will directly impact the security posture and patch eligibility of millions of devices worldwide. Organizations are strongly advised to prioritize immediate patching, especially for systems exposed to the internet or handling sensitive workloads, and to verify their Secure Boot configurations to ensure continued protection against advanced boot-level threats.

The April 2026 Patch Tuesday update encompasses a broad spectrum of vulnerabilities affecting core components such as Windows Remote Desktop Protocol (RDP), the Windows Kernel, Secure Boot, and a variety of ancillary services including SQL Server, PowerShell, and USB Printing Stack. The two most critical vulnerabilities are a remote code execution flaw in RDP and a privilege escalation bug in the Windows Kernel. Both have been publicly disclosed, with technical details circulating in the wild, increasing the risk of rapid weaponization.

The RDP Remote Code Execution vulnerability allows unauthenticated attackers to execute arbitrary code on target systems by enticing users to open malicious .rdp files, typically delivered via phishing emails. The attack leverages the trust users place in RDP files and exploits insufficient validation of connection settings. The April update introduces a new security warning and disables all connection settings by default when opening .rdp files for the first time, significantly reducing the attack surface.

The Windows Kernel Privilege Escalation zero-day enables local attackers or malware to elevate privileges to SYSTEM level, often as part of a multi-stage attack chain following initial compromise. This vulnerability is particularly dangerous in environments where endpoint detection and response (EDR) solutions are not fully deployed or where lateral movement is possible. The patch strengthens kernel-level security checks and access controls, mitigating known exploitation vectors.

A third critical issue is the Secure Boot Certificate Expiration. Devices relying on legacy 2011 Secure Boot certificates will lose the ability to receive security updates for the Windows Boot Manager after June 26, 2026. This exposes systems to bootkit malware such as BlackLotus (CVE-2023-24932) and undermines the integrity of the boot process. The April update initiates a phased rollout of new certificates and adds Secure Boot status visibility to the Windows Security app, enabling administrators to proactively manage compliance.

Other notable vulnerabilities addressed include denial of service in the Windows Redirected Drive Buffering System (CVE-2026-32216), privilege escalation in SQL Server (CVE-2026-32167), information disclosure in the Local Security Authority Subsystem Service (CVE-2026-26155), remote code execution in the Windows Snipping Tool (CVE-2026-32183), and multiple security feature bypasses in PowerShell, Power Apps, and Virtualization-Based Security.

The update also covers vulnerabilities in HTTP.sys, USB Printing Stack, Push Notifications, and the Brokering File System, reflecting the increasing complexity and interdependence of modern Windows environments. The full list of CVEs and affected components is available in the Microsoft Security Update Guide – April 2026.

As of this report, there is no evidence of mass exploitation of the RDP Remote Code Execution or Windows Kernel Privilege Escalation vulnerabilities. However, security researchers and community forums such as Reddit have reported targeted phishing campaigns distributing malicious .rdp files, and exploit code is expected to surface imminently due to the public disclosure of technical details. Privilege escalation via the kernel remains a staple in ransomware and advanced persistent threat (APT) campaigns, often following successful phishing or exploitation of remote services.

The BlackLotus bootkit (CVE-2023-24932) continues to pose a significant threat to unpatched systems, particularly those with outdated Secure Boot certificates. Organizations failing to update their certificates risk exposure to pre-OS bootkits capable of bypassing traditional endpoint security controls.

No direct attribution has been made for the exploitation of the April 2026 zero-days at the time of writing. However, historical analysis indicates that groups such as FIN7 and APT41 have leveraged similar RDP and privilege escalation vulnerabilities for lateral movement and persistence in enterprise environments. The BlackLotus bootkit has been observed in campaigns attributed to both financially motivated and state-sponsored actors, underscoring the importance of timely patching and Secure Boot management.

The vulnerabilities addressed in this cycle impact a wide array of Microsoft products and versions. Affected operating systems include Windows 11 (versions 26H1, 25H2, 24H2, 23H2), Windows Server 2025, Windows Server 2022, Windows Server 2019, and all Windows 10 editions under Extended Security Updates (ESU) as of April 2026. Productivity suites such as Microsoft Office 2016, 2019, 2021, and Microsoft 365 Apps for Enterprise (across all update channels) are also affected.

Other impacted products include Microsoft SQL Server 2017, 2019, 2022, PowerShell (all supported versions), Power Apps (cloud and on-premises), Windows Snipping Tool, Windows Push Notifications, USB Printing Stack (usbprint.sys), Redirected Drive Buffering System, HTTP.sys, Brokering File System, Virtualization-Based Security (VBS), and Microsoft Edge (Chromium-based, patched separately).

All Windows devices utilizing Secure Boot with legacy 2011 certificates—typically UEFI systems manufactured between 2012 and 2025—are at risk of losing security update eligibility and boot integrity if not updated before the June 26, 2026 deadline.

Immediate patching is the most effective mitigation strategy. Organizations should deploy the April 2026 updates to all systems with RDP enabled and all endpoints and servers susceptible to kernel privilege escalation within 24 to 48 hours. Administrators must verify the status of Secure Boot certificates and initiate updates well before the June 26, 2026 cutoff to maintain compliance and protection against bootkits.

For environments where immediate patching is not feasible, consider disabling RDP where possible, restricting RDP access to trusted IP ranges via firewall rules, and enabling multi-factor authentication (MFA) for remote access. Monitor for unusual .rdp file downloads, unexpected RDP session initiations, and suspicious process activity originating from RDP sessions.

To mitigate kernel privilege escalation, ensure that endpoint detection and response (EDR) solutions are configured to alert on SYSTEM-level process creation and privilege escalation attempts. Regularly review endpoint logs for anomalous activity.

For Secure Boot, coordinate with OEMs to obtain necessary firmware or BIOS updates, and use the Windows Security app to verify certificate status. After applying updates, review BitLocker recovery status to ensure that disk encryption remains intact.

For comprehensive technical details and the full list of vulnerabilities, consult the following resources:

Zecurit Patch Tuesday April 2026: https://zecurit.com/endpoint-management/patch-tuesday/

Microsoft Security Update Guide – April 2026: https://msrc.microsoft.com/update-guide

Microsoft Secure Boot Certificate Expiration Guidance: https://learn.microsoft.com/en-us/windows/release-health/windows-message-center

CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

BleepingComputer Patch Tuesday Coverage: https://www.bleepingcomputer.com/

Reddit /r/sysadmin Patch Tuesday threads: https://www.reddit.com/r/sysadmin/

NVD Vulnerability Database: https://nvd.nist.gov/

At Rescana, we understand that navigating the rapidly evolving threat landscape requires more than just timely patching—it demands continuous visibility, proactive risk management, and actionable intelligence. Our Third-Party Risk Management (TPRM) platform empowers organizations to identify, assess, and mitigate cyber risks across their entire digital supply chain, ensuring resilience against both known and emerging threats. If you have any questions about this advisory or require tailored guidance for your organization, our team is ready to assist. Please contact us at ops@rescana.com.

• Active Exploitation Alert