Microsoft Office Zero-day Vulnerability Actively Exploited in Attacks - CybersecurityNews

Home Cyber Security Microsoft Office Zero-day Vulnerability Actively Exploited in Attacks Microsoft released emergency out-of-band security updates on January 26, 2026, to address CVE-2026-21509, a zero-day security feature bypass vulnerability in Microsoft Office that attackers are actively exploiting. The flaw, rated “Important” with a CVSS v3.1 base score of 7.8, relies on untrusted inputs in security decisions to circumvent OLE mitigations protecting against vulnerable COM/OLE controls. CVE-2026-21509 enables local attackers to bypass Office protections after tricking users into opening malicious files via phishing or social engineering. The attack vector requires low complexity, no privileges, and user interaction, but yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Microsoft Threat Intelligence Center (MSTIC) confirmed exploitation detection, marking it as the second actively exploited zero-day patched this month after Patch Tuesday’s updates. Affected Products The flaw impacts legacy and current Office editions; patches rolled out January 26, 2026. Product Architecture KB Article Build Office 2016 64-bit 5002713 16.0.5539.1001 Office 2016 32-bit 5002713 16.0.5539.1001 Office LTSC 2024 64/32-bit N/A Latest Office LTSC 2021 64/32-bit N/A Latest M365 Apps Enterprise 64/32-bit N/A Latest Office 2019 64/32-bit N/A 16.0.10417.20095 Verify builds via File > Account > About. Office 2021+ users gain automatic service-side protection post-restart; 2016/2019 require updates or registry tweaks. Add DWORD “Compatibility Flags” (value 400) under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} (adjust paths for arch/Click-to-Run). Backup registry first; restart apps after changes. Organizations should prioritize patching, enable auto-updates, and monitor phishing IOCs like suspicious Office attachments. Threat actors favor this vector for ransomware/APT initial access; deploy EDR for COM/OLE anomalies. No public PoCs or actors named yet, but watch CISA KEV for additions. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Qihoo 360 Leaked Its Own Wildcard SSL Private Key Inside Public AI Installer Cyber Security News Fake FileZilla Downloads Lead to RAT Infections Through Stealthy Multi-Stage Loader Cyber Security News New ACRStealer Variant Uses Syscall Evasion, TLS C2 and Secondary Payload Delivery Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026