Microsoft Discloses Actively Exploited Zero-Day Vulnerability in Word (CVE-2026-21514)
Microsoft has revealed a zero-day vulnerability in Microsoft Office Word, tracked as CVE-2026-21514, which allows attackers to bypass critical security protections. The flaw was officially documented on February 10, 2026, and has already been exploited in real-world attacks.
Classified as a Security Feature Bypass vulnerability (CWE-807), the issue arises from Word’s reliance on untrusted inputs when making security decisions. With a CVSS score of 7.8, the flaw is rated "Important" in severity and poses a substantial risk to users globally. Exploitation has been detected in the wild, with functional exploit code confirmed by Microsoft’s exploitability index.
The attack requires local access and user interaction, typically via opening a malicious Word document. No special privileges are needed, making it a low-complexity threat. Once exploited, attackers can compromise confidentiality, integrity, and availability of affected systems.
Microsoft has released official patches to address the vulnerability, available through the Microsoft Security Update Guide. The primary attack vector remains malicious documents from untrusted sources, emphasizing the need for prompt patching and heightened vigilance.
Source: https://gbhackers.com/microsoft-office-word-0-day-vulnerability/
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/Microsoft
"id": "MIC1770818400",
"linkid": "Microsoft",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'type': 'Technology Company'}],
'attack_vector': 'Malicious Word document (user interaction required)',
'date_publicly_disclosed': '2026-02-10',
'description': 'Microsoft has revealed a zero-day vulnerability in Microsoft '
'Office Word, tracked as CVE-2026-21514, which allows '
'attackers to bypass critical security protections. The flaw '
'was officially documented on February 10, 2026, and has '
'already been exploited in real-world attacks. Classified as a '
'Security Feature Bypass vulnerability (CWE-807), the issue '
'arises from Word’s reliance on untrusted inputs when making '
'security decisions. With a CVSS score of 7.8, the flaw is '
"rated 'Important' in severity and poses a substantial risk to "
'users globally. Exploitation has been detected in the wild, '
'with functional exploit code confirmed by Microsoft’s '
'exploitability index. The attack requires local access and '
'user interaction, typically via opening a malicious Word '
'document. No special privileges are needed, making it a '
'low-complexity threat. Once exploited, attackers can '
'compromise confidentiality, integrity, and availability of '
'affected systems. Microsoft has released official patches to '
'address the vulnerability, available through the Microsoft '
'Security Update Guide.',
'impact': {'operational_impact': 'Compromise of confidentiality, integrity, '
'and availability',
'systems_affected': 'Microsoft Office Word'},
'post_incident_analysis': {'root_causes': 'Reliance on untrusted inputs for '
'security decisions'},
'recommendations': 'Prompt patching and heightened vigilance against '
'malicious documents from untrusted sources',
'references': [{'source': 'Microsoft Security Update Guide'}],
'response': {'remediation_measures': 'Official patches released via Microsoft '
'Security Update Guide'},
'title': 'Microsoft Discloses Actively Exploited Zero-Day Vulnerability in '
'Word (CVE-2026-21514)',
'type': 'Security Feature Bypass',
'vulnerability_exploited': 'CVE-2026-21514 (CWE-807)'}