🌊 The Patch Tuesday Tsunami: 163 Patches. One Zero-Day. The AI is Coming.

Microsoft just dropped the second-largest Patch Tuesday in history: 163 CVEs patched in a single release, including two zero-days — one actively exploited in the wild against SharePoint right now.

But the bigger story isn't this month's patch count. It's what's driving it. AI-assisted bug discovery has fundamentally broken the economics of vulnerability management — and defenders are losing ground fast.

Here's what you need to know.

The actively exploited vulnerability in this release is a spoofing flaw in Microsoft SharePoint Server — and it's nastier than its CVSS score of 6.5 suggests.

Why it matters:

Affected: SharePoint Server 2016, 2019, and Subscription Edition. Patch these first.

A second zero-day, CVE-2026-33825 in Microsoft Defender, was publicly disclosed before Microsoft had a patch ready — proof-of-concept exploit code ("BlueHammer") dropped to GitHub on April 3rd. If you haven't already, read our explainer on how zero-day vulnerabilities work and why timing is everything.

This month: 163 CVEs. 8 Critical. 154 Important. EoP vulnerabilities make up over 57% of all patches.

Zoom out and the trend is alarming:

That's 9 actively exploited zero-days in Q1 alone. The pipeline isn't clearing — it's accelerating. And AI is why.

Earlier this year, Trend Micro's Zero Day Initiative unveiled ÆSIR — an AI system that autonomously surfaces potential vulnerabilities for human researchers to verify. The model: AI generates leads, humans make calls. The result: faster, higher-volume discovery than any traditional research team could produce.

The rest of the industry followed. In 2025, more than 48,000 CVEs were published — a 38% increase from 2023. 2026 is on pace to shatter that record.

Both defenders and attackers are using these tools. The disclosure pipeline — built for a world where humans were the bottleneck — was never designed to handle this volume. The result is what security teams are calling "triage debt": a compounding backlog of disclosed vulnerabilities that vendors must patch and defenders must prioritize, with no sign of slowing down.

CVE-2026-33826 — Active Directory RCE (CVSS 8.0, Critical) Remote Code Execution in Active Directory, rated "Exploitation More Likely." Requires being in the same AD domain, but AD is the most common lateral movement target in enterprise breaches. State-sponsored groups like Salt Typhoon have made AD exploitation a core tactic — don't sleep on this one.

CVE-2026-33824 — Windows IKE RCE (CVSS 9.8, Critical) Unauthenticated, no user interaction required, exploitable by sending crafted packets. Microsoft published mitigations for environments that can't patch immediately — apply them now.

Here's the hard truth: the old patch management playbook is broken.

When AI tools are finding vulnerabilities at industrial scale, CVSS-based triage creates a dangerous illusion of control. CVE-2026-32201 scores a "medium" 6.5 on paper — but it's being exploited in the wild today. Meanwhile, a theoretical 9.8 in an obscure component sits in a patching queue because it looked more urgent on a spreadsheet.

The organizations that will stay ahead are moving to Agentic Triage: AI-driven patch prioritization built around real-world exploitability, not theoretical scores. Three shifts that matter right now:

In a world where AI finds 160+ bugs a month, manual patching prioritization is dead. The only question is how fast your organization gets ahead of it.

Ask your security team this week: "If a CVE scores 6.5 but is on CISA's KEV list, does our process treat it as higher priority than a theoretical 9.8 that isn't actively exploited?"

If the answer is no — or if nobody knows — your triage model is built on the wrong foundation. CVE-2026-32201 is the perfect case study. Start there.

163 CVEs. One actively exploited zero-day. Nine zero-days in Q1 alone.

This isn't a bad month — it's the new baseline. AI has changed the economics of vulnerability research permanently, and the patching model that got organizations through the last decade won't get them through the next one.

Patch CVE-2026-32201 today. Then use it as the forcing function to rethink how you triage everything else.

Stay ready. Stay resilient.

Until next time,

Alex is a Security Platform Engineer at Everykey with a deep focus on identity architecture and the technical nuances of modern authentication. Alex is passionate about building infrastructure that balances robust security with seamless user experiences. His work explores the "Authentication Paradox"—the idea that as security measures get stronger, they can sometimes create new, invisible vulnerabilities if not implemented with a platform-wide perspective. Alex focuses on making sure the systems we trust are actually worth trusting.

AI keeps coming up at work, but you still don't get it?

That's exactly why 1M+ professionals working at Google, Meta, and OpenAI read Superhuman AI daily.

Here's what you get:

Join 1M+ pros