• Home
  • cyber
  • Microsoft: Microsoft Office Zero-day Vulnerability Actively Exploited in Attacks
cyber Vulnerability

Microsoft: Microsoft Office Zero-day Vulnerability Actively Exploited in Attacks

Jun 16, 2016 2 min read
Microsoft: Microsoft Office Zero-day Vulnerability Actively Exploited in Attacks

Microsoft Patches Actively Exploited Zero-Day in Office (CVE-2026-21509)

On January 26, 2026, Microsoft released emergency out-of-band security updates to address CVE-2026-21509, a zero-day vulnerability in Microsoft Office that attackers are actively exploiting. The flaw, rated "Important" with a CVSS score of 7.8, allows threat actors to bypass OLE mitigations by leveraging untrusted inputs in security decisions.

The vulnerability enables local attackers to circumvent Office protections after tricking users into opening malicious files typically via phishing or social engineering. Exploitation requires low complexity, no privileges, and user interaction, but results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

The Microsoft Threat Intelligence Center (MSTIC) confirmed active exploitation, marking it as the second zero-day patched this month following January’s Patch Tuesday updates.

Affected Products & Mitigation

The flaw impacts legacy and current Office editions, including:

  • Office 2016 (32/64-bit) – KB5002713 (Build 16.0.5539.1001)
  • Office LTSC 2024/2021 – Automatic service-side protection post-restart
  • Microsoft 365 Apps (Enterprise) – Automatic updates
  • Office 2019 – Build 16.0.10417.20095

Office 2016/2019 users must apply updates or manually adjust the registry by adding a DWORD "Compatibility Flags" (value 400) under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
(Paths may vary for Click-to-Run deployments; registry backups are recommended.)

Threat Landscape & Recommendations

While no public proof-of-concept (PoC) or attributed threat actors have been disclosed, organizations are advised to prioritize patching, enable auto-updates, and monitor for phishing indicators of compromise (IOCs) particularly suspicious Office attachments. Attackers frequently exploit such vulnerabilities for ransomware or APT initial access, making EDR monitoring for COM/OLE anomalies critical.

The CISA Known Exploited Vulnerabilities (KEV) catalog may list this flaw in the near future.

Source: https://cybersecuritynews.com/microsoft-office-zero-day-vulnerability-2/

Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence

"id": "MIC1769489765",
"linkid": "microsoft-threat-intelligence",
"type": "Vulnerability",
"date": "6/2016",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Software',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'size': 'Enterprise',
                        'type': 'Technology Company'}],
 'attack_vector': 'Phishing/Social Engineering',
 'date_detected': '2026-01-26',
 'date_publicly_disclosed': '2026-01-26',
 'description': 'On January 26, 2026, Microsoft released emergency out-of-band '
                'security updates to address CVE-2026-21509, a zero-day '
                'vulnerability in Microsoft Office that attackers are actively '
                'exploiting. The flaw allows threat actors to bypass OLE '
                'mitigations by leveraging untrusted inputs in security '
                'decisions, enabling local attackers to circumvent Office '
                'protections after tricking users into opening malicious files '
                'via phishing or social engineering.',
 'impact': {'operational_impact': 'High impact on confidentiality, integrity, '
                                  'and availability (C:H/I:H/A:H)',
            'systems_affected': 'Microsoft Office (legacy and current '
                                'editions)'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Registry adjustments, patch '
                                                  'deployment',
                            'root_causes': 'Untrusted inputs in security '
                                           'decisions leading to OLE '
                                           'mitigation bypass'},
 'recommendations': ['Prioritize patching',
                     'Enable auto-updates',
                     'Monitor for phishing indicators of compromise (IOCs)',
                     'EDR monitoring for COM/OLE anomalies'],
 'references': [{'source': 'Microsoft Threat Intelligence Center (MSTIC)'}],
 'response': {'containment_measures': 'Emergency out-of-band security updates, '
                                      'registry adjustments for Office '
                                      '2016/2019',
              'enhanced_monitoring': 'EDR monitoring for COM/OLE anomalies',
              'remediation_measures': 'Apply patches (KB5002713, Build '
                                      '16.0.5539.1001 for Office 2016; '
                                      'automatic updates for Office LTSC '
                                      '2024/2021 and Microsoft 365 Apps)'},
 'title': 'Microsoft Patches Actively Exploited Zero-Day in Office '
          '(CVE-2026-21509)',
 'type': 'Zero-Day Vulnerability',
 'vulnerability_exploited': 'CVE-2026-21509'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.