Microsoft patches critical Office zero-day under active attack
▼ Summary
– Microsoft released emergency security updates to patch a zero-day vulnerability (CVE-2026-21509) that was actively being exploited in attacks.
– The flaw is a security feature bypass in Office that relies on tricking a user into opening a malicious file, as the Preview Pane is not a vector.
– Exploitation has been detected, but a public proof-of-concept is not available, suggesting targeted attacks by a limited number of threat actors.
– The US cybersecurity agency CISA has mandated federal agencies to patch this vulnerability by a specific deadline in February 2026.
– Updates are available for Office 2016, 2019, 2021 and later, with automatic protection for newer versions requiring an application restart.
Microsoft has issued urgent security patches for a critical vulnerability in its Office suite, identified as CVE-2026-21509, which is already being actively exploited by attackers. This flaw represents a significant security feature bypass, allowing unauthorized individuals to circumvent built-in protections within Microsoft 365 and Office applications. Administrators and users are strongly urged to apply these updates immediately to protect their systems from potential compromise.
The vulnerability originates from a weakness in how Office handles untrusted inputs during security decisions. This loophole enables an attacker to locally bypass OLE mitigations, a core security layer. Microsoft has clarified that the Preview Pane is not a vector for this attack. Instead, exploitation requires a user to be tricked into opening a malicious Office file. While this necessitates user interaction, social engineering tactics to achieve this are a common and effective tool in an attacker’s arsenal.
Microsoft’s internal security teams, including the Threat Intelligence Center and the Security Response Center, discovered active exploitation of this zero-day flaw. Currently, a public proof-of-concept exploit is not available, suggesting the attacks are likely targeted rather than broad, indiscriminate campaigns. The company has not disclosed specifics about the attacks or the potential victims involved.
In a significant move underscoring the threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog. Federal civilian agencies have been mandated to patch their systems by February 16, 2026, a directive that highlights the seriousness with which officials view this security gap.
Initially, updates were released for Office 2021 and later versions. Microsoft has since expanded availability to include Office 2016 and 2019. For users of Office 2021 and newer, a service-side change provides automatic protection, though a restart of the Office applications is required for it to take full effect. Those running Office 2016 or 2019 must manually ensure the update is installed to secure their software.
For organizations or individuals who need a temporary workaround, Microsoft’s security advisory details a registry modification that can be implemented to block exploitation attempts. This involves adding a specific registry subkey, a step recommended only for those comfortable with advanced system configuration. However, applying the official security update remains the most straightforward and recommended course of action to fully resolve the issue.
(Source: HelpNet Security)
