Microsoft released an out-of-band emergency patch on January 26, 2026, for CVE-2026-21509, a security feature bypass in Microsoft Office that’s being actively exploited in the wild. Russia-linked threat actor APT28 (UAC-0001) has been observed using the vulnerability against targets in Ukraine and the European Union.
Vulnerability overview
| Attribute | Value |
|---|---|
| CVE | CVE-2026-21509 |
| CVSS score | 7.8 (High) |
| Type | Security Feature Bypass |
| Attack vector | Local (requires user interaction) |
| Exploit status | Actively exploited |
| CISA KEV added | January 27, 2026 |
| Federal remediation deadline | February 16, 2026 |
Technical details
CVE-2026-21509 stems from Microsoft Office’s reliance on untrusted inputs in security decisions. The flaw allows attackers to bypass OLE (Object Linking and Embedding) mitigations, exposing users to vulnerable legacy COM/OLE controls that are normally blocked.
Root cause
| Element | Description |
|---|---|
| Vulnerability class | Reliance on untrusted inputs in security decision |
| Bypass target | OLE mitigations in Microsoft 365 and Office |
| Exposed components | Legacy COM/OLE controls |
| User interaction | Required (must open malicious document) |
In practical terms, malicious documents can execute code through COM/OLE components that should have been blocked by Office’s security controls.
APT28 exploitation campaign
According to CERT-UA, the activity is being driven by UAC-0001, better known as APT28, Fancy Bear, or Sofacy—the Russian military intelligence (GRU) unit.
Campaign details
| Attribute | Details |
|---|---|
| Attribution | APT28 / UAC-0001 / Fancy Bear (GRU) |
| Targets | 60+ email addresses at Ukrainian central executive authorities |
| Regions | Ukraine, EU member states |
| Lure document | ”Consultation_Topics_Ukraine(Final).doc” |
| Theme | EU discussions on Ukraine |
Attack timeline
| Date | Event |
|---|---|
| January 26, 2026 | Microsoft publishes CVE-2026-21509 details |
| January 27, 2026 | Lure document created (per file metadata) |
| January 29, 2026 | Document appears publicly |
| Ongoing | Active exploitation continues |
The one-day turnaround from vulnerability disclosure to weaponized lure document suggests the exploit chain was already prepared and waiting.
Attack chain
According to CERT-UA’s investigation:
| Phase | Action |
|---|---|
| 1 | Victim opens malicious Word document |
| 2 | Document establishes network connection via WebDAV protocol |
| 3 | External resource downloads shortcut file containing program code |
| 4 | Code downloads and executes payload |
| 5 | COVENANT Grunt implant deployed |
Payload details
| Component | Description |
|---|---|
| Framework | COVENANT (open-source .NET C2) |
| Implant | Grunt |
| Capabilities | Full command-and-control access |
Attack chain variants
Zscaler ThreatLabz documented two distinct attack chain variants in Operation Neusploit:
Variant 1: MiniDoor (Email theft)
| Phase | Action |
|---|---|
| 1 | RTF document exploits CVE-2026-21509 |
| 2 | Dropper DLL downloaded via WebDAV |
| 3 | MiniDoor VBA project installed in Outlook |
| 4 | Emails automatically forwarded to attacker |
MiniDoor installs a malicious Outlook VBA project that monitors the MAPILogonComplete event and forwards emails from Inbox, Drafts, Junk, and RssFeeds folders to attacker-controlled addresses.
Variant 2: PixyNetLoader (Full C2)
| Phase | Action |
|---|---|
| 1 | RTF document exploits CVE-2026-21509 |
| 2 | PixyNetLoader dropper deployed |
| 3 | COM hijacking + scheduled tasks for persistence |
| 4 | PNG steganography extracts shellcode |
| 5 | Covenant Grunt implant runs in memory |
The PixyNetLoader chain uses LSB steganography to hide shellcode within PNG image files, extracting and executing the payload entirely in memory to evade disk-based detection.
Evasion techniques
| Technique | Purpose |
|---|---|
| Server-side geofencing | Only delivers payload to targeted regions |
| User-Agent validation | Rejects requests without expected headers |
| PNG steganography | Hides shellcode in image pixels |
| In-memory execution | Avoids disk artifacts |
| Legitimate cloud C2 | Uses filen.io API for command traffic |
APT28 history with Office exploits
APT28 has a documented history of weaponizing Office vulnerabilities for initial access:
| Vulnerability | Year | Technique |
|---|---|---|
| CVE-2022-30190 (Follina) | 2022 | MSDT protocol handler abuse |
| Various macro attacks | 2015-2022 | VBA-based payloads |
| CVE-2017-0199 | 2017 | OLE/RTF exploitation |
| CVE-2026-21509 | 2026 | OLE mitigation bypass |
Affected products
| Product | Status |
|---|---|
| Microsoft Office 2016 | Vulnerable (manual patch required) |
| Microsoft Office 2019 | Vulnerable (manual patch required) |
| Microsoft Office LTSC 2021 | Vulnerable (service-side fix available) |
| Microsoft Office LTSC 2024 | Vulnerable (service-side fix available) |
| Microsoft 365 Apps for Enterprise | Vulnerable (service-side fix available) |
Patch availability
Office 2021 and later (including Microsoft 365)
| Action | Details |
|---|---|
| Fix type | Service-side deployment |
| Requirement | Restart Office applications |
| Automatic | Yes, after restart |
Office 2016 and 2019
| Option | Details |
|---|---|
| Windows Update | Security update available |
| Microsoft Update Catalog | Manual download available |
| Registry workaround | Block vulnerable COM/OLE controls manually |
CISA response
CISA added CVE-2026-21509 to the Known Exploited Vulnerabilities (KEV) catalog on January 27, 2026.
| Requirement | Deadline |
|---|---|
| FCEB agency remediation | February 16, 2026 |
| Private sector | Recommended to follow same timeline |
Mitigations and detection
Immediate mitigations
| Priority | Action |
|---|---|
| Critical | Apply the patch through Windows Update or manual download |
| High | Enable Protected View (default setting) |
| High | Verify Microsoft Defender is updated with latest signatures |
| Medium | Review macro and OLE security settings |
| Ongoing | User awareness training on suspicious documents |
Detection indicators
| Indicator | Detection method |
|---|---|
| Office spawning unusual child processes | EDR/process monitoring |
| Legacy COM/OLE component execution | Application control logs |
| WebDAV connections from Office | Network monitoring |
| COVENANT/Grunt C2 traffic | Network/EDR signatures |
Defender coverage
Microsoft Defender has detections in place for known CVE-2026-21509 exploitation patterns. Major EDR platforms should also have updated signatures.
Historical context
OLE and COM have been persistent security headaches for Microsoft Office. These technologies enable powerful document functionality but also provide attack surface that threat actors regularly exploit.
OLE/COM vulnerability timeline
| Year | Notable issues |
|---|---|
| 2017 | CVE-2017-0199 OLE exploitation wave |
| 2021 | Multiple OLE-based attack campaigns |
| 2022 | Follina (MSDT via OLE) |
| 2026 | CVE-2026-21509 mitigation bypass |
Microsoft has implemented multiple layers of mitigations over the years, including:
- Protected View for external documents
- COM/OLE control blocking lists
- Mark of the Web enforcement
- Application Guard isolation
However, bypass vulnerabilities continue to emerge. The involvement of a state-sponsored actor like APT28 suggests this vulnerability may have been discovered independently or purchased, rather than being a widely-known issue before disclosure.
Recommendations
For organizations
| Priority | Action |
|---|---|
| Immediate | Deploy patches across all Office installations |
| Immediate | Verify Protected View is enabled |
| High | Hunt for IOCs associated with COVENANT/Grunt |
| High | Review logs for suspicious Office document activity |
| Ongoing | Monitor CERT-UA and Microsoft advisories |
For security teams
| Focus | Consideration |
|---|---|
| Email filtering | Block documents with suspicious OLE objects |
| User training | Reinforce caution with external documents |
| EDR tuning | Ensure detections for Office child process spawning |
| Network monitoring | Alert on WebDAV connections from Office processes |
For users
| Action | Reason |
|---|---|
| Be suspicious of unexpected documents | Especially from external sources |
| Don’t disable Protected View | Provides critical protection layer |
| Report suspicious documents | Enable security team investigation |
| Keep Office updated | Ensures latest protections |
Registry workaround for Office 2016/2019
For organizations unable to immediately deploy the security update, Microsoft provides a registry-based mitigation:
| Step | Action |
|---|---|
| 1 | Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility |
| 2 | Create subkey for vulnerable CLSID (per Microsoft advisory) |
| 3 | Add DWORD value: Compatibility Flags = 0x400 |
| 4 | Repeat for each vulnerable COM control |
Note: This workaround blocks specific COM/OLE controls and may impact legitimate functionality. Test thoroughly before deployment.
Alternative tracking names
Different security vendors track this campaign under various names:
| Vendor | Campaign/Threat Name |
|---|---|
| Zscaler | Operation Neusploit |
| Broadcom/Symantec | Swallowtail |
| CERT-UA | UAC-0001 |
| Microsoft | Forest Blizzard |
The rapid weaponization of CVE-2026-21509 by APT28 demonstrates the importance of prompt patching. Organizations in Ukraine and EU member states should treat this as an elevated priority given the targeted nature of observed campaigns.
The combination of two attack variants—one focused on email theft (MiniDoor) and one on full system access (PixyNetLoader/Covenant)—suggests APT28 tailors its post-exploitation based on target value and intelligence requirements.