Microsoft Issues Massive Patch for 165 Vulnerabilities, Including Two Zero-Days
AI-generated from multiple sources. Verify before acting on this reporting.
REDMOND, Wash. (AP) — Microsoft released a massive security update Tuesday addressing 165 vulnerabilities across its software portfolio, with elevation-of-privilege flaws dominating the list of fixes. The update, issued on April 14, 2026, includes patches for two actively exploited zero-day vulnerabilities and 19 high-priority flaws identified by the company's security team.
The patch cycle, known as Patch Tuesday, represents one of the most significant monthly updates in recent years. Elevation-of-privilege vulnerabilities, which allow attackers to gain unauthorized administrative access to systems, accounted for the majority of the 165 issues addressed. Microsoft stated that the update is critical for organizations and individual users to prevent potential system compromises.
Security researchers from Tenable, Action1, and Fortra contributed to the identification of several flaws included in this release. The collaboration highlights ongoing efforts between technology vendors and third-party security firms to identify and remediate risks before they can be widely exploited.
Among the most critical issues were two zero-day vulnerabilities, which are security flaws that are unknown to the vendor until they are discovered by attackers. Microsoft confirmed that these specific vulnerabilities were being actively exploited in the wild prior to the release of the patch. The company urged all users to apply the updates immediately to mitigate the risk of unauthorized access.
The update covers a wide range of Microsoft products, including Windows operating systems, Office applications, and Azure cloud services. Organizations relying on these platforms are advised to prioritize the installation of the patches, particularly for systems exposed to the internet or handling sensitive data.
Fortra, a cybersecurity firm, noted that the high number of elevation-of-privilege bugs suggests a targeted effort by threat actors to gain deeper access into corporate networks. The firm recommended that administrators review their security configurations and implement additional monitoring measures alongside the patches.
Tenable, another security vendor, emphasized the importance of rapid deployment. The company's analysis indicated that some of the vulnerabilities could be chained together to create more complex attack vectors, increasing the potential impact on affected systems.
Action1, a remote management and automation platform provider, highlighted the operational challenges of deploying such a large-scale update across enterprise environments. The company advised IT teams to test the patches in isolated environments before rolling them out broadly to ensure compatibility with existing applications and workflows.
Microsoft has not disclosed the specific identities of the threat actors responsible for exploiting the zero-day vulnerabilities. The company stated that it is continuing to monitor the situation and will provide further guidance as more information becomes available.
Security experts are still assessing the full scope of the vulnerabilities and their potential impact on global infrastructure. While the patches are available, questions remain regarding the extent of prior exploitation and whether any data breaches have already occurred as a result of these flaws. Microsoft has committed to providing additional updates as the investigation continues.