Prioritizing April '26 Patches: SharePoint Zero-Day, BlueHammer, and Adobe RCE
Hey everyone,
Looking at the April 2026 Patch Tuesday drop, and it’s a heavy lift. Microsoft pushed fixes for 167 vulnerabilities, but the standout is undoubtedly the SharePoint Server zero-day (CVE-2026-30114). If you have external-facing SharePoint instances, this needs to be your top priority today; it allows for unauthenticated remote code execution.
We’re also seeing a publicly disclosed weakness in Windows Defender dubbed “BlueHammer” (CVE-2026-30455). While not actively exploited in the wild yet, it involves a tampering protection bypass that could let attackers disable AV silently.
On the client side, Google Chrome fixed its fourth zero-day of the year (CVE-2026-3145), and Adobe released an emergency out-of-band patch for Reader (CVE-2026-49821) which is actively exploited. RCE in PDF readers is a classic entry vector for phishing campaigns, so update that ASAP.
For those managing Windows endpoints, you can verify the BlueHammer patch (KB5041120) with this snippet:
Get-HotFix | Where-Object {$_.HotFixID -eq "KB5041120"} | Select-Object HotFixID, InstalledOn, Description
And for SharePoint admins, check your build version post-patch to ensure you're safe:
Get-SPFarm | Select-Object BuildVersion
Given the SharePoint zero-day requires server-side action but the Adobe/Chrome flaws are user-centric, how is everyone balancing the rollout? Are you shutting down external SharePoint access immediately, or focusing on the endpoint client updates first?
We're prioritizing the SharePoint zero-day immediately. Even though it requires server-side access, the blast radius of a server compromise is too high to ignore. We're temporarily blocking external access at the WAF until the patch cycle completes.
For the Adobe flaw, we've pushed the update via SCCM, but I'm more worried about the 'BlueHammer' Defender bypass. If attackers can disable AV, they own the box regardless of other patches.
The Adobe emergency update is causing us some headaches with custom PDF plug-ins, but the RCE risk forces our hand. We're testing the patch in a golden image now.
On the Defender side, I'd recommend checking Event ID 5010 in the Microsoft-Windows-Windows Defender/Operational log. We've seen a few 'Tamper Protection disabled' events recently that might be related to scanning for BlueHammer activity.
Good catch on the SharePoint build version check. Remember that just running Windows Update isn't always enough for SharePoint; you often have to run the SharePoint configuration wizard (psconfig) after the patch to finalize the security fixes.
Also, don't forget the Chrome update if you have users running unmanaged browsers. That 4th zero-day is a Use-After-Free in the V8 engine—trivial to exploit.
To finish the thought on BlueHammer, ensure you're checking the Defender platform version, not just the definitions. We've seen cases where the engine lags behind after Windows Update. You can verify the actual build status on endpoints using:
Get-MpComputerStatus | Select-Object AMEngineVersion, NisEngineVersion, AntivirusSignatureVersion
If the AMEngineVersion isn't the April release, a manual signature update trigger (`"MpCmdRun.exe -SignatureUpdate"`) might be needed.
Building on Sam's point about BlueHammer, verifying the platform version is critical. We use a quick PowerShell snippet to ensure the engine is actually updated across the fleet, not just the definitions.
Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntispywareSignatureVersion, QuickScanAge, EngineVersion
This helps catch the lag he mentioned before it becomes a gap in coverage.
Validating the Defender platform version is key, but for the ICS folks out there, don't push this directly to operator workstations without testing. We’ve seen new engine binaries introduce latency that affects specific HMI drivers. Always verify in your isolated test environment before touching the production floor.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access