Executive Summary

On January 26, 2026, Microsoft released an emergency out-of-band patch to address a critical zero-day vulnerability in Microsoft Office, designated as CVE-2026-21509. This security flaw is being actively exploited in the wild, prompting its immediate inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. The vulnerability enables adversaries to bypass core security features in Office, specifically those related to OLE (Object Linking and Embedding) mitigations, thereby facilitating unauthorized code execution. Given the active exploitation and the high impact potential, urgent remediation is required for all organizations utilizing affected Microsoft Office products. This advisory provides a comprehensive technical breakdown, exploitation context, and actionable mitigation guidance to help organizations defend against this evolving threat.

Technical Information

CVE-2026-21509 is classified as a Security Feature Bypass vulnerability, specifically due to Microsoft Office’s reliance on untrusted inputs in security decisions (CWE-807). The vulnerability carries a CVSS v3.1 base score of 7.8, reflecting its high severity. The attack vector is local, requiring user interaction, but the complexity is low, and exploitation can result in high confidentiality, integrity, and availability impacts.

The vulnerability is rooted in the way Microsoft Office processes OLE objects embedded within Office documents. By crafting a malicious document, an attacker can bypass OLE mitigations, which are intended to prevent the execution of unsafe COM/OLE controls. This bypass allows the attacker to execute arbitrary code or perform unauthorized actions on the victim’s system. The attack requires the victim to open a specially crafted Office file, typically delivered via phishing or spear-phishing campaigns. Notably, the Preview Pane in Microsoft Office is not an attack vector for this vulnerability, so exploitation requires explicit user interaction.

No public proof-of-concept (PoC) exploit code has been released as of this writing. However, Microsoft has confirmed that the vulnerability is being actively exploited in targeted attacks. The specific attack chain details and threat actor attribution remain undisclosed, but the exploitation methodology aligns with advanced persistent threat (APT) tradecraft observed in previous Office-targeted campaigns.

The vulnerability affects the following Microsoft Office product versions: Microsoft Office 2016 (x86/x64), Microsoft Office 2019 (x86/x64), Microsoft Office LTSC 2021 (x86/x64), Microsoft Office LTSC 2024 (x86/x64), and Microsoft 365 Apps for Enterprise (x86/x64). The attack surface is broad, given the widespread deployment of these Office versions across enterprise and government environments.

The technical exploitation involves the delivery of a malicious Office document, which, when opened, leverages the OLE bypass to instantiate vulnerable COM objects. This can result in the execution of attacker-controlled code, potentially leading to system compromise, lateral movement, and data exfiltration. The exploitation chain may also involve the use of signed binary proxy execution (such as rundll32.exe) to evade detection and maintain persistence.

Microsoft Defender has updated its detection signatures to identify exploitation attempts, and Protected View in Office offers an additional layer of defense by blocking files originating from the Internet. However, these controls are not foolproof, and organizations should not rely solely on endpoint detection or user awareness to mitigate this risk.

Exploitation in the Wild

Active exploitation of CVE-2026-21509 has been confirmed by both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability’s addition to the CISA KEV catalog underscores its criticality and the urgency of remediation. Observed tactics, techniques, and procedures (TTPs) include the delivery of malicious Office documents via phishing and spear-phishing campaigns, requiring the recipient to open the file to trigger the exploit.

Once the malicious document is opened, the attacker’s payload bypasses OLE mitigations, enabling the execution of arbitrary code. This can facilitate a range of post-exploitation activities, including privilege escalation, credential theft, and lateral movement within the target environment. The exploitation is consistent with MITRE ATT&CK techniques such as T1204.002 (User Execution: Malicious File), T1193 (Spearphishing Attachment), T1059 (Command and Scripting Interpreter), and T1218.011 (Signed Binary Proxy Execution: Rundll32).

No public indicators of compromise (IOCs), such as file hashes or command-and-control (C2) infrastructure, have been released by Microsoft or third-party researchers at this time. Organizations are advised to monitor for anomalous Office document activity, particularly files received from unknown or untrusted sources, and to review endpoint and network telemetry for signs of exploitation.

APT Groups using this vulnerability

As of this report, there is no public attribution of CVE-2026-21509 exploitation to specific advanced persistent threat (APT) groups. However, the attack methodology is highly consistent with techniques historically employed by APT actors targeting Microsoft Office vulnerabilities. Groups such as APT28 (also known as Fancy Bear), APT29 (Cozy Bear), and other state-sponsored actors have previously leveraged Office-based zero-days to gain initial access to high-value targets in government, defense, and enterprise sectors.

The lack of public attribution may be due to the ongoing nature of investigations or the sophistication of the threat actors involved. Nonetheless, organizations operating in sectors frequently targeted by APTs—such as government, critical infrastructure, defense, and large enterprises—should assume a heightened risk posture and prioritize remediation efforts.

Affected Product Versions

The following Microsoft Office product versions are confirmed to be affected by CVE-2026-21509: Microsoft Office 2016 (x86 and x64), Microsoft Office 2019 (x86 and x64), Microsoft Office LTSC 2021 (x86 and x64), Microsoft Office LTSC 2024 (x86 and x64), and Microsoft 365 Apps for Enterprise (x86 and x64). The vulnerability impacts both standalone and subscription-based deployments, increasing the urgency for organizations to assess their Office estate and apply the necessary patches or mitigations.

Workaround and Mitigation

Microsoft has released a service-side fix for Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Users of these versions must restart their Office applications to ensure the fix is applied. For Microsoft Office 2016 and Microsoft Office 2019, security updates are pending. In the interim, Microsoft recommends a registry-based mitigation to block the vulnerable COM object.

To implement the registry mitigation for Office 2016 and Office 2019, organizations should close all Office applications, back up the Windows Registry, and open the Registry Editor (regedit.exe). Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ for 64-bit Office or 32-bit Office on 32-bit Windows, or to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ for 32-bit Office on 64-bit Windows. Create a new key named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. Within this key, create a new DWORD (32-bit) value called Compatibility Flags and set its value to 0x400 (Hexadecimal). After applying this change, restart all Office applications.

In addition to patching and registry mitigation, organizations should ensure that Microsoft Defender is updated with the latest signatures and that Protected View is enabled in Office to block files originating from the Internet. Security teams should monitor for suspicious Office document activity, particularly files received via email from unknown or untrusted sources, and review endpoint and network logs for signs of exploitation.

References

SOC Prime: CVE-2026-21509 Analysis, BleepingComputer: Microsoft patches actively exploited Office zero-day vulnerability, NVD: CVE-2026-21509, Microsoft Security Advisory: CVE-2026-21509, CISA KEV Catalog Entry: CVE-2026-21509.

Rescana is here for you

Rescana is committed to empowering organizations with advanced third-party risk management (TPRM) capabilities, enabling proactive identification and mitigation of cyber threats across your supply chain and digital ecosystem. Our platform delivers actionable intelligence, continuous monitoring, and automated workflows to help you stay ahead of emerging vulnerabilities and regulatory requirements. If you have any questions or require further assistance regarding this advisory or your organization’s security posture, please contact us at ops@rescana.com.