Microsoft has rushed out an emergency patch for a security vulnerability in multiple versions of Microsoft Office and Microsoft 365 that attackers are actively exploiting. The zero-day bug, designated as CVE-2026-21509 (CVSS 7.8), allows attackers to bypass security controls in Microsoft 365 and Office that protect against unsafe COM/OLE behavior, and execute arbitrary code on affected systems.
CISA Adds Bug to KEV
The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its known exploited vulnerabilities (KEV) catalog and given federal executive civilian branch agencies until Feb. 16 to patch the issue or discontinue use of affected products until patched. To exploit the vulnerability, an attacker would either need to already have access to a system or send a malicious Office file to a user and convince them to open it. Unlike numerous previous Office vulnerabilities, merely viewing a malicious Office file in the Preview Pane will not trigger CVE-2026-21509. According to Microsoft, a successful exploit could fully compromise confidentiality, integrity, and availability of affected systems.
Security vendor Cytex assessed the vulnerability as complex to exploit and likely to involve a multistage attack chain usually associated with highly targeted attacks. “The nature of this zero-day indicates it is a tool for advanced, persistent threats (APTs),” Cytext said on X. “Key characteristics point to state-sponsored or financially motivated espionage,” involving social engineering targeted at potentially high-value victims, the vendor added.
In its advisory, Microsoft confirmed that it had detected exploit activity targeted at CVE-2026-21509. But as is the company’s practice, it did not disclose any further details of the activity or whether it’s targeted or opportunistic in nature.
Security researchers always recommend organizations patch affected systems immediately, especially in situations where attackers might already be actively exploiting a vulnerability.
In addition, Microsoft identified default settings, configurations, and general best practices that could mitigate the threat. Organizations on Office 2021 and later versions don’t have to do anything besides restarting their Office apps because Microsoft implemented a fix for the vulnerability on the server side.
But customers on Office 2016 and 2019 will need to install the security update to protect against the threat. Microsoft’s advisory listed changes and additions to certain Windows registry keys that organizations using these versions can make to immediately block attempted exploit activity.
A Big Attacker Target
The wide and near ubiquitous use of Microsoft Office and Microsoft 365 have made the platforms a frequent target for attackers seeking maximum impact. Over the past year, attackers have exploited multiple critical vulnerabilities in these environment to inflict considerable damage. Some examples include “ToolShell” (CVE-2025-53770), a zero-day in SharePoint that attackers chained with CVE-2025-53771, another SharePoint flaw to target US government agencies and others; CVE-2025-49704 and CVE-2025-49706, two previous but related SharePoint vulnerabilities that attackers actively targeted; and CVE-2025-62554, which allowed for remote code execution on affected systems.
The new CVE-2026-21509 zero-day is unlike some other Office zero-days, in that it relies on user interaction for a successful exploit and highlights how social engineering remains a critical element in many attack chains.
