Home / Technology / Microsoft Office Hit by Zero-Day Exploit
Microsoft Office Hit by Zero-Day Exploit
27 Jan
Summary
- Emergency patch released for a critical Office zero-day flaw.
- Vulnerability allows attackers to bypass OLE mitigations.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog.
Microsoft has released an urgent security update to address a critical zero-day vulnerability affecting Microsoft Office, identified as CVE-2026-21509. This exploit allows threat actors to bypass Object Linking and Embedding (OLE) security measures, potentially leading to malware execution and lateral movement within networks. The vulnerability was reportedly being actively exploited in the wild before a patch was deployed.
The US Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the severity by adding CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog. While exploitation details remain undisclosed, the flaw's ability to bypass OLE mitigations poses a significant risk to users. Microsoft is urging all users to apply the necessary updates to protect their systems.
Users of Office 2021 and later versions will receive the patch server-side automatically upon restarting their applications. For those using Office 2016 and 2019, manual installation of specific updates is required. Microsoft has also provided alternative mitigation steps through Windows Registry modifications for users unable to install the patches immediately.
