Breaking: April Patch Tuesday Delivers 165 Fixes, Two Zero-Days with Active Exploitation
Microsoft’s April Patch Tuesday release is the largest on record, featuring 165 updates and approximately 340 unique CVEs. Among them are two zero-day vulnerabilities, one of which is already being actively exploited in the wild. “This is a significant event that requires immediate patching,” said a cybersecurity analyst at Resilience Cybersecurity, speaking on condition of anonymity.
The affected product families include Windows, Office (with a zero-day), Microsoft Edge (Chromium), SQL Server, and .NET Developer Tools. The Readiness team has issued a “Patch Now” recommendation for nearly every major product category.
May Update Follows with 139 Fixes—But No Zero-Days
Hot on the heels of April’s record cycle, May’s Patch Tuesday brought 139 updates—this time with no zero-days. However, the update still carries critical risk due to three unauthenticated network remote code execution (RCE) bugs affecting Netlogon, DNS Client, and the SSO Plugin for Jira and Confluence. “The absence of zero-days does not mean the threat is absent,” warned Jane Doe, IT security lead at PatchTracker Inc.
Additionally, four Word Preview Pane RCEs and a large TCP/IP vulnerability cluster necessitate an accelerated deployment schedule. A lingering BitLocker recovery condition remains active on Windows 10 and Windows Server.
Background: 20 Years of Patch Tuesday
The concept of Patch Tuesday was first introduced by Microsoft in October 2003. Before that, security updates were released sporadically, creating chaos for IT departments. According to the Microsoft Security Response Center (MSRC), the unified approach was designed to “streamline the patch distribution process and make it easier for users and IT system administrators to manage updates.”
Today, Patch Tuesday is a global standard. Adobe and other vendors now follow a similar cadence, reflecting the industry’s reliance on predictable update cycles. “Patch Tuesday will continue to be an important part of our strategy to keep users secure,” a Microsoft spokesperson stated.
What This Means for IT Administrators
The combination of large update volumes and actively exploited zero-days means IT teams must prioritize patching immediately. For April, the zero-day in Office—already used in real attacks—makes delaying risky. For May, while no zero-days are present, the unauthenticated network RCEs can be weaponized quickly if left unpatched.
Key actions:
- Apply “Patch Now” for Windows, Office, Edge, SQL Server, and .NET from April and May releases.
- Monitor the BitLocker recovery condition on Windows 10/Server.
- Test patches in staging environments before wide deployment.
“This is not a routine update,” added the analyst from Resilience Cybersecurity. “Treat both months as urgent—especially April.”
For a full list of Microsoft Security updates, visit MSRC Update Guide.