Microsoft Rushes Out Emergency Update to Patch Office Zero-Day Flaw

Microsoft has released emergency out-of-band Office security updates to patch a critical Microsoft Office vulnerability that is already under active exploitation. This flaw (tracked as CVE-2026-21509) is being used by attackers in real-world attacks to bypass built-in security protections.

The zero-day bug (CVE-2026-21509) is a high‑severity security feature‑bypass flaw in Microsoft Office that originates from the software making security decisions based on untrusted inputs, which allows attackers to circumvent protections designed to block unsafe COM/OLE components. It could be exploited by sending a specially crafted Office document and convincing the victim to open it, which enables malicious code execution despite OLE mitigations.

“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” Microsoft explained in its advisory. “An attacker must send a user a malicious Office file and convince them to open it.”

This vulnerability carries a CVSS score of 7.8, and it affects multiple versions of Microsoft Office. These include Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Microsoft noted that the issue could fully compromise confidentiality, integrity, and availability on affected systems.

What should administrators do now to mitigate the Office flaw?

Fortunately, Microsoft has already released automatic server‑side fixes for users running Microsoft Office 2021 and newer versions. Administrators will need to reboot the Office apps to apply the patch on their systems. However, users of Office 2016 and 2019 must install patches or apply specific registry‑based mitigations.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its catalogue of known exploited vulnerabilities. CISA has directed executive civilian branch agencies to remediate this vulnerability by February 16 or discontinue the use of affected products.

Microsoft urges organizations to follow the official guidance provided on its CVE information page. The company also emphasized that built‑in defenses (such as Microsoft Defender) can already detect attempts to exploit the Office vulnerability. Microsoft also highlighted that Office’s default Protected View offers additional protection by preventing potentially harmful files from the Internet from running automatically.