Cyber Security News

Microsoft patches actively exploited Office zero-day vulnerability

BleepingComputer
Microsoft patches actively exploited Office zero-day vulnerability

Microsoft released emergency out-of-band updates to address a high-severity Microsoft Office zero-day vulnerability tracked as CVE-2026-21509 that bypasses OLE/COM mitigations. The flaw affects multiple Office editions (including Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise), with patches for Office 2016 and 2019 not yet available and registry-based mitigations and a service-side fix provided for other versions. #CVE-2026-21509 #MicrosoftOffice

Keypoints

  • CVE-2026-21509 is a high-severity Office zero-day that bypasses security mitigations for OLE/COM controls.
  • The vulnerability impacts Microsoft Office 2016, 2019, Office LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.
  • Security updates for Office 2016 and 2019 are not yet available and will be released as soon as possible.
  • Exploitation requires an attacker to send a malicious Office file and convince a user to open it, allowing local, low-complexity attacks that bypass protections.
  • Microsoft provided registry mitigation steps (create a COM Compatibility key and set Compatibility Flags = 0x400) and applied a service-side fix for Office 2021+ that requires restarting Office apps.

Read More: https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint