Microsoft has rushed out an emergency patch for a security vulnerability in multiple versions of Microsoft Office and Microsoft 365 that attackers are actively exploiting. The zero-day bug, designated as CVE-2026-21509 (CVSS 7.8), allows attackers to bypass security controls in Microsoft 365 and Office that protect against unsafe COM/OLE behavior, and execute arbitrary code on affected systems.
CISA Adds Bug to KEV
The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its known exploited vulnerabilities (KEV) catalog and given federal executive civilian branch agencies until Feb. 16 to patch the issue or discontinue use of affected products until patched. To exploit the vulnerability, an attacker would either need to already have access to a system or send a malicious Office file to a user and convince them to open it. Unlike numerous previous Office vulnerabilities, merely viewing a malicious Office file in the Preview Pane will not trigger CVE-2026-21509. According to Microsoft, a successful exploit could fully compromise confidentiality, integrity, and availability of affected systems.
Security vendor Cytex assessed the vulnerability as complex to exploit and likely to involve a multistage attack chain usually associated with highly targeted attacks. "The nature of this zero-day indicates it is a tool for advanced, persistent threats (APTs)," Cytext said on X. "Key characteristics point to state-sponsored or financially motivated espionage," involving social engineering targeted at potentially high-value victims, the vendor added.
Related:Beauty in Destruction: Exploring Malware's Impact Through Art
In its advisory, Microsoft confirmed that it had detected exploit activity targeted at CVE-2026-21509. But as is the company's practice, it did not disclose any further details of the activity or whether it's targeted or opportunistic in nature.
Security researchers always recommend organizations patch affected systems immediately, especially in situations where attackers might already be actively exploiting a vulnerability.
In addition, Microsoft identified default settings, configurations, and general best practices that could mitigate the threat. Organizations on Office 2021 and later versions don't have to do anything besides restarting their Office apps because Microsoft implemented a fix for the vulnerability on the server side.
But customers on Office 2016 and 2019 will need to install the security update to protect against the threat. Microsoft's advisory listed changes and additions to certain Windows registry keys that organizations using these versions can make to immediately block attempted exploit activity.
Related:Vulnerabilities Threaten to Break Chainlit AI Framework
... continue reading