Microsoft reveals actively exploited Office zero-day, provides emergency fix (CVE-2026-21509)
Microsoft released emergency Office security updates to fix a security feature bypass vulnerability (CVE-2026-21509) that its threat intelligence and security teams spotted being exploited in the wild in zero-day attacks.
Users and admins are advised to review the associated advisory and to implement updates or mitigations as soon as possible.
About CVE-2026-21509
CVE-2026-21509 stems from reliance on untrusted inputs in a security decision in Microsoft Office, which allows unauthorized attackers to bypass a security feature (OLE mitigations in Microsoft 365 and Microsoft Office) locally.
“The Preview Pane is not an attack vector. An attacker must send a user a malicious Office file and convince them to open it,” Microsoft noted. Successful exploitation thus hinges on user interaction, but tricking users into opening Office files has never been an insurmountable problem for attackers.
Microsoft detected exploitation of the flaw in the wild. The good news is that a PoC exploit for it is not currently publicly available, which probably means that the exploit is wielded by a limited number of threat actors against specific targets (as opposed to against the entirety of Office users).
Microsoft’s Threat Intelligence Center (MSTIC), Security Response Center (MSRC), and Office Product Group Security Team have been credited with flagging the vulnerability. The company hasn’t shared additional details of the attacks or publicly identified possible targets.
The US Cybersecurity and Infrastructure Security Agency added CVE-2026-21509 to its Known Exploited Vulnerabilities catalog and ordered US federal civilian agency to address the flaw by February 16, 2026.
Security updates
While Microsoft initially only released updates for Office 2021 and later, it didn’t take long for them to make them available for icrosoft Office 2016 and 2019 users.
“Customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect,” Microsoft explained.
“Customers running Microsoft Office 2016 and 2019 should ensure the update is installed to be protected from this vulnerability.”
Alternatively, those who are comfortable with making changes to the Windows registry can adding a specific registry subkey (as detailed in Microsoft’s advisory) to protect themselves against exploitation.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!