Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on SecureIoTOffice.world →

Microsoft’s April 2026 Patch Tuesday is notable not just for its scale — 165 vulnerabilities addressed in a single release, one of the largest patch cycles in recent memory — but for what it signals about where enterprise attack surfaces are expanding.

Buried among the expected Windows kernel patches, remote code execution fixes, and elevation of privilege vulnerabilities is something that has not appeared on a Microsoft Patch Tuesday before: AI prompt injection vulnerabilities affecting Microsoft 365 Copilot. For the first time, the attack surface of enterprise AI assistants has been formally recognized as something that requires security patches — not just usage policies.

That milestone, combined with actively exploited SharePoint zero-days and a set of Windows security flaws that attackers were already using before the patch dropped, makes April 2026 Patch Tuesday a release that security teams cannot defer.

The SharePoint Zero-Days: What’s Being Actively Exploited

The most urgent items in the April 2026 release are two SharePoint Server vulnerabilities that Microsoft has confirmed are being actively exploited in the wild. Both were zero-days at time of disclosure — meaning attackers were using them before Microsoft had patches available.

CVE-2026-26306 is a remote code execution vulnerability in SharePoint Server that allows an authenticated attacker with Site Owner privileges to execute arbitrary code in the context of the SharePoint service account. The CVSS score is 8.8. The attack vector is network-accessible, meaning exploitation does not require local access.

The practical implication: any organization running an internet-facing SharePoint installation where an attacker can obtain or compromise a Site Owner-level account is vulnerable to full server compromise. The “authenticated attacker” requirement sounds like a significant barrier, but in practice, SharePoint Site Owner is not a highly privileged role — many organizations grant it broadly for collaboration purposes.

CVE-2026-26307 is a privilege escalation vulnerability in SharePoint that allows an authenticated attacker to gain SharePoint Farm Administrator privileges. Combined with CVE-2026-26306, this creates a two-step exploitation path: escalate privileges, then execute code.

Both vulnerabilities are under active exploitation. Microsoft has not disclosed who is exploiting them or what sectors are being targeted, but the combination of RCE and privilege escalation in SharePoint Server is exactly what sophisticated threat actors look for in enterprise environments.

Who needs to act immediately: Any organization running SharePoint Server (not SharePoint Online, which Microsoft patches separately) should treat these patches as emergency maintenance. Organizations running hybrid SharePoint environments — server instances federated with SharePoint Online — should patch the server components immediately regardless of internet-facing status.

Windows: Three Actively Exploited Flaws

Alongside the SharePoint zero-days, Microsoft disclosed three Windows vulnerabilities that were under active exploitation before the April patches were released.

Unpatched Windows security flaws — specifically multiple privilege escalation and remote code execution vulnerabilities in core Windows components — have been documented by TechCrunch and security researchers as being actively used by threat actors targeting enterprise organizations in April 2026.

The specific CVEs affect Windows components including the Windows Common Log File System (CLFS) driver (a recurring target for privilege escalation), the Windows DNS Server, and Windows LDAP implementation. Each carries significant CVSS scores and represents an established exploitation path being actively weaponized.

For organizations with Windows-based OT workstations and SCADA operator interfaces — which describes a large proportion of industrial environments — these Windows vulnerabilities are directly relevant. Historian workstations, engineering workstations, and HMI computers that run Windows but may not be on the same patching cadence as corporate IT assets need particular attention.

The Inflection Point: AI Prompt Injection Hits the Patch List

The most significant development in the April 2026 Patch Tuesday — not in terms of immediate exploitation risk, but in terms of what it signals — is the inclusion of AI prompt injection vulnerabilities in Microsoft 365 Copilot.

This is the first time Microsoft has formally patched AI-specific attack vulnerabilities through its standard security update process. It marks a turning point: AI assistant attack surfaces are no longer just a theoretical concern or a usage policy problem. They are a patched vulnerability category with CVE identifiers.

What is prompt injection? Prompt injection is an attack technique where malicious instructions are embedded in content that an AI assistant processes — a document, an email, a web page — and those instructions cause the AI to take actions on behalf of the attacker rather than the user.

In the context of Microsoft 365 Copilot, a successful prompt injection attack could cause the AI assistant to:

  • Exfiltrate sensitive data by summarizing confidential documents and sending the summary to an attacker-controlled location
  • Modify documents or emails on the user’s behalf with attacker-controlled content
  • Execute actions in connected enterprise systems (Teams, Outlook, SharePoint) that the user did not intend
  • Bypass data loss prevention policies by having Copilot process restricted content and relay it through channels not covered by DLP rules

The specific CVEs patched in April 2026 affect the interaction between Copilot and SharePoint content, Copilot’s handling of externally sourced content in meeting transcripts, and Copilot’s email summarization features in Outlook.

Why this matters for enterprise security teams:

Microsoft 365 Copilot is now deployed at scale across enterprise organizations. It has access to the breadth of Microsoft 365 data — email, Teams conversations, SharePoint documents, calendar, and connected Line of Business applications. The attack surface that prompt injection represents in this context is substantial.

An attacker who can get a Copilot user to process a malicious document — one that contains embedded prompt injection instructions — can potentially cause Copilot to take actions across the user’s Microsoft 365 environment. If that user is an executive with access to sensitive financial data, board materials, or M&A documents, the exfiltration potential is significant.

The April patches address specific known vulnerabilities. But they don’t eliminate prompt injection as a category — they address specific manifestations of it. Security teams need to understand that:

  1. Patching Copilot-related vulnerabilities is necessary but not sufficient
  2. Prompt injection is an ongoing attack surface that will require sustained attention
  3. Enterprise AI governance policies need to account for prompt injection risk in how AI assistants are configured, what data they can access, and what actions they can take

The Scale Problem: 165 Vulnerabilities in One Cycle

Beyond the specific high-priority items, the April 2026 Patch Tuesday raises a question that security teams have been grappling with for years: how do you prioritize 165 vulnerabilities when you have limited patching capacity?

A framework for prioritization:

Tier 1 — Patch within 24-48 hours:

  • SharePoint Server CVE-2026-26306 and CVE-2026-26307 (actively exploited, RCE)
  • Any Windows vulnerabilities currently under active exploitation
  • Copilot prompt injection CVEs if your organization has deployed Copilot with broad data access

Tier 2 — Patch within one week:

  • Critical CVEs (CVSS 9.0+) with network-accessible attack vectors, even if not yet confirmed exploited
  • Vulnerabilities affecting internet-facing services (Exchange, RDP, IIS)
  • Privilege escalation vulnerabilities that can be chained with lower-severity initial access vectors

Tier 3 — Patch in normal cycle:

  • High CVEs (CVSS 7.0-8.9) that require local access or complex prerequisites
  • Medium and lower CVEs without evidence of exploitation or exploit availability

For OT environments: Apply this framework specifically to Windows systems in your OT environment — historian workstations, engineering workstations, operator interfaces. These systems are often on deferred patching schedules; the actively exploited Windows vulnerabilities in this release warrant expedited attention.

The AI Security Posture Review This Triggers

The formal inclusion of AI prompt injection in Microsoft’s security patch cycle should trigger a specific review for organizations running enterprise AI assistants:

What data can Copilot access? Review the data permissions configured for your Copilot deployment. Copilot inherits the user’s permissions — if a user can access a document, Copilot can access it. Organizations that have not implemented strict sensitivity labels and access controls across their Microsoft 365 environment are exposing that data to Copilot’s attack surface.

What actions can Copilot take? Copilot with plugins enabled can take actions in connected systems — sending emails, creating calendar events, updating CRM records. Review which plugins are enabled and whether the action capabilities are appropriate for your risk tolerance.

Are you monitoring Copilot activity? Microsoft Purview provides audit logging for Copilot interactions. Ensure this logging is enabled, retained appropriately, and reviewed by your security operations team. Prompt injection attacks that succeed will leave traces in these logs.

Have you communicated prompt injection risk to users? Users who understand that malicious documents can hijack their AI assistant are better equipped to be skeptical of unexpected Copilot behaviors and to report anomalies. This is a new category of security awareness training.

For IoT and Industrial Teams Specifically

Microsoft’s April Patch Tuesday is primarily an enterprise IT story, but it has direct relevance for operational technology environments in several ways.

Windows-based OT systems — engineer workstations, historian servers, HMI computers, and SCADA operator interfaces running Windows — are in scope for these patches. The actively exploited Windows vulnerabilities are not limited to corporate IT contexts; any Windows system accessible from the same network as a compromised endpoint is potentially at risk.

SharePoint in industrial environments — many industrial organizations use SharePoint for documentation management, including operational procedures, maintenance records, and safety documentation. A compromised SharePoint server in this context could expose sensitive operational information to attackers.

Microsoft Teams in operational contexts — Teams is increasingly used for communication and coordination in industrial environments, including shift handoffs, incident communication, and vendor coordination. Prompt injection attacks through Teams meeting transcripts (one of the patched CVE categories) are relevant in environments where Teams is used for operational communication.

The integration of enterprise IT and OT environments that has been the defining trend in industrial cybersecurity over the past five years means that enterprise software vulnerabilities are no longer purely IT problems for industrial operators.

  1. Emergency patch SharePoint Server — apply CVE-2026-26306 and CVE-2026-26307 patches immediately
  2. Audit Windows OT workstations — identify which Windows systems in your OT environment are affected by actively exploited Windows vulnerabilities and expedite patching
  3. Review Copilot data access permissions — implement sensitivity labels and access controls before the AI attack surface expands further
  4. Enable Copilot audit logging in Microsoft Purview if not already active
  5. Update security awareness training to include AI prompt injection as an attack category users should recognize and report

The 165 vulnerabilities in this release will keep patch management teams busy for weeks. Start with the items that are already being exploited.

CVE details and exploitation status reflect Microsoft’s April 2026 Patch Tuesday disclosure. Organizations should verify current exploitation status and prioritization guidance via the Microsoft Security Response Center (MSRC) and their vulnerability management platform.