Microsoft on Monday issued an out-of-band security patch for a high-severity zero-day vulnerability in Microsoft Office that was exploited in the attack.
This vulnerability is tracked as CVE-2026-21509 and has a CVSS score of 7.8 out of 10.0. This is described as a bypass of Microsoft Office security features.
“Microsoft Office’s reliance on untrusted input in security decisions may allow an unauthorized attacker to locally bypass security features,” the tech giant said in an advisory.
“This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office that protect users from vulnerable COM/OLE controls.”
Successful exploitation of this flaw relies on an attacker sending a specially crafted Office file and persuading the recipient to open the file. We also mentioned that the preview pane is not an attack vector.
The Windows maker said customers running Office 2021 or newer will be automatically protected by the service-side change, but they will need to restart their Office applications for it to take effect. If you’re running Office 2016 and 2019, you should install the following updates:
Microsoft Office 2019 (32-bit version) – 16.0.10417.20095 Microsoft Office 2019 (64-bit version) – 16.0.10417.20095 Microsoft Office 2016 (32-bit version) – 16.0.5539.1001 Microsoft Office 2016 (64-bit version) – 16.0.5539.1001
As a mitigation measure, the company recommends customers modify the Windows registry by following the steps outlined below.
Create a backup of the registry Exit all Microsoft Office applications Launch Registry Editor Locate the appropriate registry subkey – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ for 64-bit MSI Office, 32-bit MSI Office 32 on 64-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ (64 Click2Run Office for 32-bit Click2Run Office on 64-bit Windows Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. Right-click the COM Compatibility node and[キーの追加]Select. Within that subkey, right-click the new subkey,[新規]>[DWORD (32 ビット) 値]Select to add a new value. Add a REG_DWORD hex value named “Compatibility Flag” with value 400. Exit Registry Editor and start the Office application.
Microsoft has not provided details regarding the nature and scope of the attack leveraging CVE-2026-21509. The Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and the Office Product Group security team are credited with discovering this issue.
Following this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and required Federal Civilian Executive Branch (FCEB) agencies to patch it by February 16, 2026.
Source link
