Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks - SecurityWeek

Microsoft has released patches for CVE-2026-21509, a newly disclosed Office zero-day vulnerability that can be exploited to bypass security features. The tech giant’s advisory for CVE-2026-21509 mentions that it’s aware of active exploitation.  The vulnerability and the in-the-wild attacks were discovered by Microsoft’s own security researchers, but the company has yet to share any information on the malicious activity. According to Microsoft’s description of the zero-day, “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.” The company also clarified that the vulnerability “bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls”. Exploitation requires the attacker to convince the targeted user to open a malicious Office file.  The requirement for social engineering, combined with the exploit’s complexity and the potential need for a multi-stage attack chain, indicates that this zero-day is being used for targeted espionage or other high-value operations rather than broad, opportunistic campaigns. SecurityWeek has reached out to Microsoft for additional information and will update this article if the company responds. Microsoft has released patches for all affected versions of Office, including 2016, 2019, LTSC 2024, LTSC 2021, and Microsoft 365 Apps for Enterprise. Mitigations are also available for users who cannot immediately update their Office installations.  The cybersecurity agency CISA has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, instructing government organizations to address it by February 16. Microsoft’s January 2026 Patch Tuesday updates resolved more than 110 vulnerabilities, including a Windows zero-day whose exploitation was discovered by the vendor’s own researchers. No information has been shared on those attacks either.  UPDATE: Microsoft has provided the following statement to SecurityWeek, but it did not share any information on the attacks: “We recommend impacted customers follow the guidance on our CVE page. Additionally, Microsoft Defender has detections in place to block exploitation, and our default Protected View setting provides an extra layer of protection by blocking malicious files from the Internet. As a security best practice, we encourage users to exercise caution when downloading and enabling editing on files from unknown sources as indicated in security warnings. Related: Microsoft Patches 57 Vulnerabilities, Three Zero-Days Related: RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement Related: New ‘Reprompt’ Attack Silently Siphons Microsoft Copilot Data WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Starbucks Data Breach Impacts Employees Iran-Linked Hacker Attack on Stryker Disrupted Manufacturing and Shipping Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Apple Updates Legacy iOS Versions to Patch Coruna Exploits Meta Launches New Protection Tools as It Helps Disrupt Scam Centers Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack Wiz Joins Google Cloud as Landmark Acquisition Closes Latest News Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact Security Firm Executive Targeted in Sophisticated Phishing Attack China-Linked Hackers Hit Asian Militaries in Patient Espionage Operation Threat Actor Targeting VPN Users in New Credential Theft Campaign ForceMemo: Python Repositories Compromised in GlassWorm Aftermath Hacking Attempt Reported at Poland’s Nuclear Research Center Loblaw Data Breach Impacts Customer Information Critical HPE AOS-CX Vulnerability Allows Admin Password Resets Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security And Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move The US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM. Business software company Rippling has appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email