Microsoft has urgently addressed a critical zero-day vulnerability in its Office suite, identified as CVE-2026-21509, which is currently being actively exploited. This vulnerability, carrying a CVSS score of 7.8, allows attackers to bypass security features designed to protect against unsafe COM and OLE controls. (hipaajournal.com)
Technical Details
The flaw arises from Office's reliance on untrusted inputs during security decisions, enabling unauthorized attackers to circumvent security features locally. Exploitation requires user interaction; attackers must convince users to open malicious Office files, such as those received via phishing emails. (securityonline.info)
Affected Versions and Mitigation
The vulnerability impacts multiple Office versions, including Office 2016, 2019, 2021, and Microsoft 365 Apps for Enterprise. For Office 2021 and later, Microsoft has implemented server-side protections that activate upon restarting Office applications. Users of Office 2016 and 2019 are advised to manually install the latest security updates:
- Office 2019 (32-bit and 64-bit): Build 16.0.10417.20095
- Office 2016 (32-bit and 64-bit): Build 16.0.5539.1001
If immediate patching isn't feasible, Microsoft recommends applying a registry-based workaround to mitigate the risk. (hipaajournal.com)
Regulatory Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to prioritize remediation. Federal agencies are required to apply the patch by February 16, 2026. (cybersecuritynews.com)
Recommendations
Users and organizations are strongly advised to update their Office applications promptly to safeguard against potential exploitation. Regularly applying security updates and exercising caution with unsolicited Office files can significantly reduce the risk of such vulnerabilities.
- (securityonline.info)
- (cybersecuritynews.com)