Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks

Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks

Briefly

"Microsoft has released patches for CVE-2026-21509, a newly disclosed Office zero-day vulnerability that can be exploited to bypass security features. The tech giant's advisory for CVE-2026-21509 mentions that it's aware of active exploitation. The vulnerability and the in-the-wild attacks were discovered by Microsoft's own security researchers, but the company has yet to share any information on the malicious activity."

"According to Microsoft's description of the zero-day, "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally." The company also clarified that the vulnerability "bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls". Exploitation requires the attacker to convince the targeted user to open a malicious Office file."

"The requirement for social engineering, combined with the exploit's complexity and the potential need for a multi-stage attack chain, indicates that this zero-day is being used for targeted espionage or other high-value operations rather than broad, opportunistic campaigns. Microsoft has released patches for all affected versions of Office, including 2016, 2019, LTSC 2024, LTSC 2021, and Microsoft 365 Apps for Enterprise. Mitigations are also available for users who cannot immediately update their Office installations."