The BlueHammer Fallout: April 2026 Patch Analysis & 167 CVEs
Hey team,
Just wrapped up reviewing the April 2026 Patch Tuesday dump, and it’s a heavy one. Microsoft addressed 167 vulnerabilities, but the standout is definitely the SharePoint Server zero-day (CVE-2026-30122). If you have exposed farms, patch this immediately; it allows for remote code execution without authentication.
Also concerning is the "BlueHammer" vulnerability (CVE-2026-29015) in Windows Defender. While technically a weakness rather than an active exploit right now, the public disclosure is risky. It impacts how the antimalware component interfaces with the kernel.
I'm currently hunting for any suspicious activity related to BlueHammer using this KQL query in Sentinel:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "MsMpEng.exe"
| where FileName in ("powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessParentFileName
Outside of the Microsoft ecosystem, Google Chrome patched its fourth zero-day of the year (CVE-2026-5123), and Adobe pushed an emergency out-of-band fix for an actively exploited Reader flaw (CVE-2026-4102) leading to RCE.
Given the SharePoint zero-day and the Adobe RCE, how are you prioritizing patching this week? I'm leaning towards knocking out Adobe first due to the active exploitation status, but the SharePoint exposure is gnawing at me.
We are prioritizing the Adobe Reader fix (CVE-2026-4102) immediately. We saw some suspicious PDF hits in our sandbox environment this morning that looked like exploit attempts. Since user interaction is required there, but the attack surface is huge (everyone has PDFs), we're treating it as critical. SharePoint is getting patched tonight during the maintenance window. The risk of internet-facing SharePoint is high, but our DMZ is tightly locked down compared to our user inboxes.
Nice catch on the BlueHammer query. I'd recommend expanding that hunt to include MpCmdRun.exe as well, as attackers often abuse the command-line interface directly to trigger the scanning logic. Regarding the SharePoint patch, if you run into issues with the installer hanging, try clearing the config cache on your app servers before running the update:
Stop-Service SPTimerV4
Get-ChildItem "C:\ProgramData\Microsoft\SharePoint\Config" -Recurse | Remove-Item -Force
Start-Service SPTimerV4
Saved me a few hours of headache last time.
From a pentester's perspective, the Chrome zero-day (CVE-2026-5123) is the most interesting. It's a type confusion error in the V8 engine, which usually means exploit chains are relatively stable. I expect to see this incorporated into exploit kits very soon. If you aren't forcing Chrome updates via Group Policy, now is the time. The 'BlueHammer' Defender flaw is theoretically scary but requires local access or significant social engineering to trigger effectively in most environments.
Solid analysis. Given the severity of the SharePoint RCE (CVE-2026-30122), don't overlook the OT side. Many industrial sites run legacy SharePoint for maintenance logs and shift handovers, often connected to the corporate network. If you manage such a hybrid environment, verify your farm build immediately using this snippet:
Get-SPFarm | Select-Object BuildVersion
Compare the output against the latest patch baseline. If you're behind, treat it as a critical breach risk, especially if that SharePoint instance bridges to any Level 3 or 4 networks.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access