top of page
Search

Microsoft Releases Emergency Patch for Critical Office Vulnerability

  • Jan 27
  • 2 min read

Key Findings


  • Microsoft issued emergency updates to fix an actively exploited Office zero-day, CVE-2026-21509, affecting Office 2016–2024 and Microsoft 365 Apps.

  • The vulnerability is a security feature bypass that allows an unauthorized attacker to bypass security protections locally by sending a malicious Office file.

  • Microsoft confirmed the Preview Pane is not an attack vector, but did not disclose technical details about the active exploits.

  • Office 2021 and later are automatically protected via a service-side fix, but Office 2016 and 2019 require installing security updates or manually applying a registry change.


Background


The security flaw, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0 and has been described by Microsoft as a "security feature bypass in Microsoft Office" that allows an attacker to bypass OLE security protections.


Successful exploitation requires an attacker to send a specially crafted malicious Office file and convince the recipient to open it. Microsoft noted the Preview Pane is not an attack vector in this case.


Patching and Mitigations


Microsoft has released out-of-band security updates to address the vulnerability for the following affected Office versions:


  • Microsoft Office 2019 (32-bit edition) - 16.0.10417.20095

  • Microsoft Office 2019 (64-bit edition) - 16.0.10417.20095

  • Microsoft Office 2016 (32-bit edition) - 16.0.5539.1001

  • Microsoft Office 2016 (64-bit edition) - 16.0.5539.1001


For Office 2016 and 2019 users, Microsoft is also providing a manual registry change as a mitigation option, which involves adding a specific COM Compatibility registry key and setting a Compatibility Flags DWORD value.


Office 2021 and later versions are automatically protected through a service-side fix, but users will need to restart their Office applications for the protections to take effect.


Threat Actor Activity


Microsoft has not shared any technical details about the nature and scope of attacks exploiting CVE-2026-21509. However, the issue has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by February 16, 2026.


This suggests the vulnerability is being actively targeted by threat actors, making it critical for all affected organizations to prioritize updates and mitigations as soon as possible.


Sources


  • https://securityaffairs.com/187349/hacking/emergency-microsoft-update-fixes-in-the-wild-office-zero-day.html

  • https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html

  • https://www.socdefenders.ai/item/574871fa-14a6-4042-9164-c338e6f7a04a

  • https://www.instagram.com/p/DT-9tmxjoM3/

  • https://www.reddit.com/r/SecOpsDaily/comments/1qnpdky/microsoft_patches_actively_exploited_office/

  • https://www.clearphish.ai/news/microsoft-patches-actively-exploited-office-zero-day-vulnerability

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page