Microsoft Rushes Emergency Patch for Office Zero-Day - Dark Reading

VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE NEWS Microsoft Rushes Emergency Patch for Office Zero-Day To exploit the vulnerability, an attacker would need either system access or be able to convince a user to open a malicious Office file. Jai Vijayan,Contributing Writer January 27, 2026 3 Min Read SOURCE: QINQIE99 VIA SHUTTERSTOCK Microsoft has rushed out an emergency patch for a security vulnerability in multiple versions of Microsoft Office and Microsoft 365 that attackers are actively exploiting. The zero-day bug, designated as CVE-2026-21509 (CVSS 7.8), allows attackers to bypass security controls in Microsoft 365 and Office that protect against unsafe COM/OLE behavior, and execute arbitrary code on affected systems. CISA Adds Bug to KEV The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its known exploited vulnerabilities (KEV) catalog and given federal executive civilian branch agencies until Feb. 16 to patch the issue or discontinue use of affected products until patched. To exploit the vulnerability, an attacker would either need to already have access to a system or send a malicious Office file to a user and convince them to open it. Unlike numerous previous Office vulnerabilities, merely viewing a malicious Office file in the Preview Pane will not trigger CVE-2026-21509. According to Microsoft, a successful exploit could fully compromise confidentiality, integrity, and availability of affected systems. Related:Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos Security vendor Cytex assessed the vulnerability as complex to exploit and likely to involve a multistage attack chain usually associated with highly targeted attacks. "The nature of this zero-day indicates it is a tool for advanced, persistent threats (APTs)," Cytext said on X. "Key characteristics point to state-sponsored or financially motivated espionage," involving social engineering targeted at potentially high-value victims, the vendor added. In its advisory, Microsoft confirmed that it had detected exploit activity targeted at CVE-2026-21509. But as is the company's practice, it did not disclose any further details of the activity or whether it's targeted or opportunistic in nature. Security researchers always recommend organizations patch affected systems immediately, especially in situations where attackers might already be actively exploiting a vulnerability. In addition, Microsoft identified default settings, configurations, and general best practices that could mitigate the threat. Organizations on Office 2021 and later versions don't have to do anything besides restarting their Office apps because Microsoft implemented a fix for the vulnerability on the server side. But customers on Office 2016 and 2019 will need to install the security update to protect against the threat. Microsoft's advisory listed changes and additions to certain Windows registry keys that organizations using these versions can make to immediately block attempted exploit activity. Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical A Big Attacker Target The wide and near ubiquitous use of Microsoft Office and Microsoft 365 have made the platforms a frequent target for attackers seeking maximum impact. Over the past year, attackers have exploited multiple critical vulnerabilities in these environment to inflict considerable damage. Some examples include "ToolShell" (CVE-2025-53770), a zero-day in SharePoint that attackers chained with CVE-2025-53771, another SharePoint flaw to target US government agencies and others; CVE-2025-49704 and CVE-2025-49706, two previous but related SharePoint vulnerabilities that attackers actively targeted; and CVE-2025-62554, which allowed for remote code execution on affected systems. The new CVE-2026-21509 zero-day is unlike some other Office zero-days, in that it relies on user interaction for a successful exploit and highlights how social engineering remains a critical element in many attack chains. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like VULNERABILITIES & THREATS Critical Flaw in Oracle Identity Manager Under Exploitation by Rob Wright NOV 24, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 VULNERABILITIES & THREATS Apache Tomcat RCE Vulnerability Under Fire With 2-Step Exploit by Kristina Beek, Associate Editor, Dark Reading MAR 17, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE