Microsoft Office Zero-day Vulnerability Actively Exploited in Attacks

Microsoft released emergency out-of-band security updates on January 26, 2026, to address CVE-2026-21509, a zero-day security feature bypass vulnerability in Microsoft Office that attackers are actively exploiting.

The flaw, rated “Important” with a CVSS v3.1 base score of 7.8, relies on untrusted inputs in security decisions to circumvent OLE mitigations protecting against vulnerable COM/OLE controls.

CVE-2026-21509 enables local attackers to bypass Office protections after tricking users into opening malicious files via phishing or social engineering.

The attack vector requires low complexity, no privileges, and user interaction, but yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Microsoft Threat Intelligence Center (MSTIC) confirmed exploitation detection, marking it as the second actively exploited zero-day patched this month after Patch Tuesday’s updates.

Affected Products

The flaw impacts legacy and current Office editions; patches rolled out January 26, 2026.

Verify builds via File > Account > About.

Office 2021+ users gain automatic service-side protection post-restart; 2016/2019 require updates or registry tweaks.

Add DWORD “Compatibility Flags” (value 400) under HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} (adjust paths for arch/Click-to-Run). Backup registry first; restart apps after changes.

Organizations should prioritize patching, enable auto-updates, and monitor phishing IOCs like suspicious Office attachments. Threat actors favor this vector for ransomware/APT initial access; deploy EDR for COM/OLE anomalies. No public PoCs or actors named yet, but watch CISA KEV for additions.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.