Microsoft has released patches for CVE-2026-21509, a newly disclosed Office zero-day vulnerability that can be exploited to bypass security features.
The tech giant’s advisory for CVE-2026-21509 mentions that it’s aware of active exploitation.
The vulnerability and the in-the-wild attacks were discovered by Microsoft’s own security researchers, but the company has yet to share any information on the malicious activity.
According to Microsoft’s description of the zero-day, “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.”
The company also clarified that the vulnerability “bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls”.
Exploitation requires the attacker to convince the targeted user to open a malicious Office file.
The requirement for social engineering, combined with the exploit’s complexity and the potential need for a multi-stage attack chain, indicates that this zero-day is being used for targeted espionage or other high-value operations rather than broad, opportunistic campaigns.
SecurityWeek has reached out to Microsoft for additional information and will update this article if the company responds.
Microsoft has released patches for all affected versions of Office, including 2016, 2019, LTSC 2024, LTSC 2021, and Microsoft 365 Apps for Enterprise.
Mitigations are also available for users who cannot immediately update their Office installations.
The cybersecurity agency CISA has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, instructing government organizations to address it by February 16.
Microsoft’s January 2026 Patch Tuesday updates resolved more than 110 vulnerabilities, including a Windows zero-day whose exploitation was discovered by the vendor’s own researchers. No information has been shared on those attacks either.
UPDATE: Microsoft has provided the following statement to SecurityWeek, but it did not share any information on the attacks:
“We recommend impacted customers follow the guidance on our CVE page. Additionally, Microsoft Defender has detections in place to block exploitation, and our default Protected View setting provides an extra layer of protection by blocking malicious files from the Internet. As a security best practice, we encourage users to exercise caution when downloading and enabling editing on files from unknown sources as indicated in security warnings.
Related: Microsoft Patches 57 Vulnerabilities, Three Zero-Days
Related: RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement
Related: New ‘Reprompt’ Attack Silently Siphons Microsoft Copilot Data
