“Active Exploitation of Microsoft Office Zero-Day Vulnerability: What You Need to Know”

Microsoft issued urgent out-of-band security patches on January 26, 2026, to resolve CVE-2026-21509, a zero-day vulnerability that allows circumvention of security features in Microsoft Office, actively targeted by attackers.

The defect, classified as “Important” with a CVSS v3.1 base rating of 7.8, exploits untrusted inputs in security determinations to bypass OLE protections designed to guard against vulnerable COM/OLE components.

CVE-2026-21509 permits local intruders to evade Office safeguards after deceiving users into opening harmful files through phishing or social manipulation.

The attack method necessitates low complexity, no special permissions, and user engagement, yet results in significant impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Microsoft Threat Intelligence Center (MSTIC) verified the detection of exploitation, indicating it as the second zero-day actively exploited this month, following the updates from Patch Tuesday.

Impacted Products

The vulnerability affects both legacy and current Office versions; updates were deployed on January 26, 2026.

Check builds via File > Account > About.

Users of Office 2021+ receive automatic service-side protection upon restart; updates or registry modifications are required for 2016/2019.

Add DWORD “Compatibility Flags” (value 400) under HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} (modify paths for architecture/Click-to-Run). Ensure to back up the registry prior; restart applications after modifications.

Organizations ought to prioritize patch application, activate auto-updates, and observe phishing IOCs like suspicious Office files. Threat actors prefer this method for initial ransomware/APT access; deploy EDR for COM/OLE irregularities. No public PoCs or identified actors as of yet, but keep an eye on CISA KEV for updates.