Microsoft Office Zero-Day Actively Exploited in Ongoing
An actively exploited zero-day security feature bypass vulnerability, identified as CVE-2026-21509, has prompted Microsoft to release emergency out-of-band security updates. Released on January 26,...
An actively exploited zero-day security feature bypass vulnerability, identified as CVE-2026-21509, has prompted Microsoft to release emergency out-of-band security updates. Released on January 26, 2026, these critical patches address flaws within Microsoft Office.
The flaw, rated “Important” with a CVSS v3.1 base score of 7.8, relies on untrusted inputs in security decisions to circumvent OLE mitigations protecting against vulnerable COM/OLE controls.
CVE-2026-21509 enables local attackers to bypass Office protections after tricking users into opening malicious files via phishing or social engineering.
The attack vector requires low complexity, no privileges, and user interaction, but yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Microsoft Threat Intelligence Center (MSTIC) confirmed exploitation detection, marking it as the second actively exploited zero-day patched this month after Patch Tuesday’s updates.
Affected Products
The flaw impacts legacy and current Office editions; patches rolled out January 26, 2026.
| Product | Architecture | KB Article | Build |
|---|---|---|---|
| Office 2016 | 64-bit | 5002713 | 16.0.5539.1001 |
| Office 2016 | 32-bit | 5002713 | 16.0.5539.1001 |
| Office LTSC 2024 | 64/32-bit | N/A | Latest |
| Office LTSC 2021 | 64/32-bit | N/A | Latest |
| M365 Apps Enterprise | 64/32-bit | N/A | Latest |
| Office 2019 | 64/32-bit | N/A | 16.0.10417.20095 |
Verify builds via File > Account > About.
Office 2021+ users gain automatic service-side protection post-restart; 2016/2019 require updates or registry tweaks.
Add DWORD “Compatibility Flags” (value 400) under HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} (adjust paths for arch/Click-to-Run). Backup registry first; restart apps after changes.
Organizations should prioritize patching, enable auto-updates, and monitor phishing IOCs like suspicious Office attachments. Threat actors favor this vector for ransomware/APT initial access; deploy EDR for COM/OLE anomalies. No public PoCs or actors named yet, but watch CISA KEV for additions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.