You are currently viewing Microsoft patches actively exploited Office zero-day vulnerability

Microsoft patches actively exploited Office zero-day vulnerability

  • Post author:
  • Reading time:4 mins read

Executive Summary

In a swift response to escalating cyber threats, Microsoft has issued an emergency security update to remediate a high-severity zero-day vulnerability affecting several versions of Microsoft Office. Tracked as CVE-2026-21509, this security feature bypass flaw impacts Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. The vulnerability is actively being exploited in the wild, making this patch critical for maintaining system security.

Root Cause

The root cause of CVE-2026-21509 lies in the way Microsoft Office handles untrusted inputs during security decisions. This flaw allows an attacker to bypass security features locally by sending a malicious Office file and convincing the user to open it. Specifically, the vulnerability bypasses OLE mitigations designed to protect users from vulnerable COM/OLE controls.

Affected Products

The vulnerability impacts a broad range of Microsoft Office versions, including:

  • Microsoft Office 2016
  • Microsoft Office 2019
  • Microsoft Office LTSC 2021
  • Microsoft Office LTSC 2024
  • Microsoft 365 Apps for Enterprise

It is important to note that while Office 2021 and later versions receive automatic protection via a service-side change (requiring a restart of Office applications), Office 2016 and 2019 require specific mitigation steps or updates that are still forthcoming.

Impact & Exploit Potential

Successful exploitation of CVE-2026-21509 allows attackers to bypass critical security features within Microsoft Office. Although the attack requires user interaction, the impact can be significant, potentially leading to further system compromise. The Common Vulnerabilities and Exposures (CVE) database entry for this vulnerability gives it a severity rating of 7.8. Exploitation involves sending a specially crafted Office file to a user and convincing them to open it, which then bypasses Object Linking and Embedding (OLE) mitigations.

Tactics, Techniques, and Procedures (TTPs)

Attackers are actively exploiting this vulnerability by employing specific tactics, techniques, and procedures. Understanding these TTPs is crucial for developing effective defense strategies.

  • TA0001 – Initial Access: Attackers use phishing campaigns to deliver malicious Office files to potential victims.
  • TA0002 – Execution: Once the user opens the malicious file, the attacker can bypass security features and execute arbitrary code.
  • T1566 – Phishing: This technique involves crafting deceptive emails or messages to trick users into opening the malicious Office file.
  • T1204 – User Execution: The vulnerability requires user interaction to execute the malicious code, highlighting the importance of user awareness training.

Mitigation & Recommendations

Microsoft has taken steps to address this actively exploited vulnerability. The following actions are recommended to mitigate the risk:

  • Apply the Patch: Users of Microsoft Office 2021 and later versions should restart their Office applications to enable the service-side fix.
  • Registry Mitigation (Office 2016 & 2019): Until the official patch is available for Office 2016 and 2019, users can apply a registry-based mitigation. Follow these steps:
    1. Close all Microsoft Office applications.
    2. Back up the Windows Registry.
    3. Open the Registry Editor (regedit.exe).
    4. Navigate to the appropriate registry key. This will vary based on the version of Office and Windows (32-bit or 64-bit). The possible locations are:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Office, or 32-bit Office on 32-bit Windows)
      • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Office on 64-bit Windows)
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\
    5. If the COM Compatibility key does not exist, create it under the Common key.
    6. Right-click on the COM Compatibility key, select New -> Key, and name it {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
    7. Right-click on the newly created {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} key, select New -> DWORD (32-bit) Value.
    8. Name the new value Compatibility Flags.
    9. Double-click Compatibility Flags, Set the Base to Hexadecimal, and enter 400 in the Value data field.
Example Registry Configuration:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
"Compatibility Flags"=dword:00000400

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.