Microsoft has released emergency security updates to address a zero-day vulnerability in Microsoft Office that is being actively exploited by attackers in the wild.
Vulnerability Details
The vulnerability, tracked as CVE-2026-21509, stems from reliance on untrusted inputs in a security decision. This flaw allows unauthorized attackers to bypass OLE mitigations in Microsoft 365 and Microsoft Office locally.
Affected Products:
- Microsoft Office 2016
- Microsoft Office 2019
- Microsoft Office LTSC 2021
- Microsoft Office LTSC 2024
- Microsoft 365 Apps for Enterprise
CISA Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to address the flaw by February 16, 2026.
Recommended Actions
Organizations should:
- Apply the emergency patch immediately
- Monitor for indicators of compromise related to this vulnerability
- Review Office macro and OLE security settings
- Ensure endpoint detection systems are updated with the latest signatures
The patch is available through Windows Update and the Microsoft Update Catalog.