Microsoft Office Zero Day Actively Exploited via Security Feature Bypass Vulnerability (CVE 2026 21509)
February 6th, 2026
High
Our Cyber Threat Intelligence Unit has identified a critical security update to address a zero-day vulnerability in Microsoft Office that is actively exploited in the wild. Tracked as CVE-2026-21509, this flaw allows attackers to bypass built-in security protections in the Office when a user opens a malicious document. Exploitation relies on social engineering such as phishing to convince the victim to open a crafted file and has prompted urgent out-of-band patches for multiple Office versions. Due to active exploitation and its presence in real-world attacks, organizations are urged to apply updates or mitigations immediately.
Technical Details
CVE ID: CVE-2026-21509.
Attack Type: Security feature bypass via malicious document processing.
Severity: High.
Component Affected: Microsoft Office applications including Office 2016, Office 2019, Office
LTSC versions, Office 2021, and Microsoft 365 Apps for Enterprise.
Vulnerability Nature: The flaw arises from reliance on untrusted inputs in a security decision,
allowing unauthorized actions by bypassing mitigations for unsafe COM/OLE controls.
Attack Vector: A remote attacker must send a malicious Office document (such as via email), and
the target must open the file to trigger the bypass.
Exploit Status: Microsoft and independent researchers have confirmed active exploitation in the
wild prior to official patch availability.
Impact
Attackers can bypass Office security features designed to block unsafe COM/OLE controls, weakening defense-in-depth.
A successful exploit may allow delivery and execution of secondary payloads, such as malware.
Unauthorized actions could lead to data compromise, credential theft, or system misuse.
Exploitation requires only user interaction (opening a file), increasing success likelihood via phishing.
Legacy Office deployments (2016/2019) remain vulnerable until patched, leaving many endpoints exposed.
Widespread use of Office makes enterprise and supply chain workflows high-risk areas.
Detection Method
Identify Office applications at risk by scanning installed versions against affected builds (Office 2016, 2019, LTSC 2021/2024, Office 2021, Microsoft 365 Apps).
Monitor email attachments and file uploads for suspicious Office documents originating from external or untrusted sources.
Log and alert on unexpected COM/OLE control activations or failures in Office processing.
Detect anomalous processes spawned from Office applications following document openings.
Leverage endpoint detection solutions to correlate post-document execution behaviors that deviate from normal Office activity.
Analyze phishing campaign indicators where crafted Office files are used as initial access vectors.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Apply Emergency Patches:Install the latest Office security updates covering CVE-2026-21509 across all affected Office versions immediately.
Restart Office Applications:After updates, users on Office 2021 and later must restart applications to activate service-side protections.
Registry Mitigation: For Office 2016/2019 where patches are delayed, apply Microsoft’s registry workaround to mitigate exposure.
Phishing Awareness: Educate users to avoid opening Office attachments from untrusted or unexpected sources.
Enhance Email Security: Use advanced email filtering to block or flag malicious Office file attachments.
Endpoint Controls: Enable EDR rules to detect unusual Office behaviours such as unexpected COM/OLE usage.
Conclusion
CVE-2026-21509 represents a significant security feature bypass in Microsoft Office that has already seen active exploitation. By relying on untrusted inputs to make critical decisions about embedded controls, the flaw exposes systems to potential unauthorized actions when a malicious document is opened. Rapid patching, combined with defensive controls and user awareness around document-based threats, is critical to mitigating this risk. Given its inclusion in CISA’s Known Exploited Vulnerabilities catalog, organizations should act quickly to implement updates and reduce exposure to this vulnerability.