Microsoft has released an out-of-band security update for Office products to address CVE-2026-21509, a high-severity vulnerability that is currently being exploited in the wild.
The flaw allows attackers to bypass key security features and execute malicious payloads through specially crafted Office files.
The vulnerability was identified by Microsoft's internal security teams, including the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and the Office Product Group Security Team. The issue, classified as a security feature bypass, stems from the software’s reliance on untrusted inputs when making critical security decisions.
Microsoft Office under attack
According to Microsoft’s advisory, exploitation of CVE-2026-21509 requires user interaction, such as opening a malicious Office document. Once triggered, the flaw enables attackers to circumvent OLE (Object Linking and Embedding) mitigations, a set of defenses in Microsoft 365 and standalone Office products designed to block the execution of untrusted COM/OLE controls.
Microsoft Office is a widely used productivity suite that serves hundreds of millions of users worldwide, including individuals, businesses, and government organizations. The affected versions include Microsoft Office 2016, 2019, and 2021, as well as Microsoft 365. Office 2021 and Microsoft 365 users benefit from a service-side fix that is already in place, but will require users to restart their Office applications for the protection to take effect. In contrast, customers on Office 2016 and 2019 must manually install the newly released security update or apply a registry-based mitigation to block the vulnerable COM object.
The vulnerable COM control is identified by CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. Administrators seeking immediate mitigation can create a registry key under the COM Compatibility node corresponding to their Office installation type. This key must include a DWORD (32-bit) value named Compatibility Flags set to 0x400, which disables activation of the targeted COM object within Office.
Microsoft has confirmed the active exploitation of this flaw but has not disclosed specific threat actors, attack campaigns, or geographic targeting. However, the exploit code is described as “functional,” implying that attackers have reliable methods of weaponizing the vulnerability. Microsoft notes that the attack vector does not include the Preview Pane, and opening a malicious file remains a necessary step for successful exploitation.
Users can verify whether their installation is protected by checking that their Office build number is 16.0.10417.20095 or higher. This information can be found under the “About” section in the Account tab of any Office application.
Leave a Reply