John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
165 CVEs. Today. That’s nearly double the average Patch Tuesday and it comes with some things that can’t wait until next week’s maintenance window.
Two zero-days confirmed. CVE-2026-32201 in SharePoint is being actively exploited right now. A second one in Microsoft Defender allows SYSTEM-level privilege escalation, but it auto-patches via the Antimalware Platform update, so verify that ran on your endpoints.
Then there’s CVE-2026-20929. Critical Kerberos vulnerability, active directory environments only, allows credential relay attacks by abusing how Windows handles DNS CNAME resolution during authentication. Short version: a network-level attacker can intercept Kerberos tickets and move sideways without needing a password. Patch it, and while you’re at it, disable RC4 for Kerberos and enforce AES-128 or AES-256. RC4 should have been off years ago.
CISA added six flaws to the KEV catalog today. One FortiClient EMS entry has a 48-hour deadline. If you’re a federal agency or run FortiClient EMS, you have until April 16.
Also: one of the CISA additions was patched 14 years ago. Still being exploited by ransomware actors in 2026. Technical debt doesn’t disappear. It just waits.