Microsoft Issues Emergency Patch for Actively Exploited Office Zero-Day

CVE-2026-21509 Microsoft Office vulnerability zero-day exploit security patch cybersecurity vulnerability mitigation CISA KEV
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
February 2, 2026 3 min read
Microsoft Issues Emergency Patch for Actively Exploited Office Zero-Day

TL;DR

Microsoft has issued an emergency patch for CVE-2026-21509, an actively exploited zero-day vulnerability in Microsoft Office that bypasses security features. The flaw impacts Office 2016 through Microsoft 365 Apps for Enterprise. Learn about the exploit's root cause, affected versions, and essential mitigation steps, including applying patches and specific registry adjustments for older versions to safeguard your systems.

Microsoft Office Zero-Day Vulnerability CVE-2026-21509

Microsoft has released out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability, CVE-2026-21509, which is actively being exploited. This vulnerability is a security feature bypass flaw. The Hacker News

Microsoft Office Zero-Day

Image courtesy of The Hacker News

Vulnerability Details

Identified as CVE-2026-21509, the vulnerability has a CVSS score of 7.8 out of 10. It is described as a security feature bypass in Microsoft Office, where "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally". Microsoft Security Response Center Successful exploitation involves sending a specially crafted Office file and convincing the recipient to open it. The Preview Pane is not an attack vector.

Root Cause The vulnerability CVE-2026-21509 arises from how Microsoft Office manages untrusted inputs during security decisions, allowing attackers to bypass security features locally by sending a malicious Office file and convincing the user to open it. Specifically, the vulnerability bypasses OLE mitigations, which are designed to protect users from vulnerable COM/OLE controls. SecPod Blog

Affected Products The vulnerability impacts several Microsoft Office versions:

  • Microsoft Office 2016
  • Microsoft Office 2019
  • Microsoft Office LTSC 2021
  • Microsoft Office LTSC 2024
  • Microsoft 365 Apps for Enterprise

For Office 2021 and later, automatic protection is provided via a service-side change, requiring a restart of Office applications. However, Office 2016 and 2019 require specific updates or mitigation steps. Infosecurity Magazine

Mitigation Steps

Microsoft advises the following mitigation steps:

  1. Apply the Patch: Restart Office applications for Microsoft Office 2021 and later to enable the service-side fix. Microsoft
  2. Registry Mitigation (Office 2016 & 2019): Apply a registry-based mitigation until the official patch is available for Office 2016 and 2019. SecPod Blog

Registry Mitigation Steps:

  1. Close all Microsoft Office applications.

  2. Back up the Windows Registry. Microsoft Support

  3. Open the Registry Editor (regedit.exe).

  4. Navigate to the appropriate registry key based on your Office and Windows version (32-bit or 64-bit):

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Office, or 32-bit Office on 32-bit Windows)
    • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Office on 64-bit Windows)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\

  5. If the COM Compatibility key does not exist, create it under the Common key.

  6. Right-click on the COM Compatibility key, select New -> Key, and name it {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.

  7. Right-click on the newly created {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} key, select New -> DWORD (32-bit) Value.

  8. Name the new value Compatibility Flags.

  9. Double-click Compatibility Flags, set the Base to Hexadecimal, and enter 400 in the Value data field.

Example Registry Configuration:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
"Compatibility Flags"=dword:00000400

Tactics, Techniques, and Procedures (TTPs) Attackers are actively exploiting this vulnerability using specific TTPs:

  • TA0001 – Initial Access: Phishing campaigns deliver malicious Office files to potential victims.
  • TA0002 – Execution: Once the user opens the malicious file, the attacker can bypass security features and execute arbitrary code.
  • T1566 – Phishing: Crafting deceptive emails or messages to trick users into opening the malicious Office file.
  • T1204 – User Execution: The vulnerability requires user interaction to execute the malicious code.

MITRE ATT&CK

CISA Action The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply patches by February 16, 2026. CISA

CISA KEV Catalog

Image courtesy of SecPod Blog

Gopher Security's Role In light of these vulnerabilities, it is crucial to implement a robust security architecture. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, converging networking and security across devices, apps, and environments. Our platform utilizes peer-to-peer encrypted tunnels and quantum-resistant cryptography to protect against sophisticated threats.

To learn more about how Gopher Security can protect your organization, please visit our website.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

FBI Seizes RAMP Ransomware Forum in Major Cybercrime Crackdown
FBI seizure

FBI Seizes RAMP Ransomware Forum in Major Cybercrime Crackdown

FBI takedown of RAMP cybercrime forum disrupts ransomware networks. Learn how this impacts cybercriminals and what it means for your security. Explore advanced defenses.

By Jim Gagnard February 9, 2026 3 min read
common.read_full_article
Critical OpenSSL RCE Vulnerability CVE-2025-15467 Explained
CVE-2025-15467

Critical OpenSSL RCE Vulnerability CVE-2025-15467 Explained

Urgent alert! A critical OpenSSL vulnerability (CVE-2025-15467) with a CVSS score of 9.8 has been disclosed. Learn how this pre-authentication RCE flaw impacts your systems and get actionable steps for immediate patching. Don't wait, secure your infrastructure now!

By Brandon Woo February 6, 2026 5 min read
common.read_full_article
SolarWinds Addresses Critical RCE and Auth Bypass Vulnerabilities
SolarWinds Web Help Desk vulnerabilities

SolarWinds Addresses Critical RCE and Auth Bypass Vulnerabilities

Critical vulnerabilities in SolarWinds Web Help Desk allow RCE & auth bypass. Patch urgently to protect your systems. Learn more and secure your network today!

By Jim Gagnard February 5, 2026 4 min read
common.read_full_article
AI in Cybersecurity: The Battle Between Agents and Humans
AI agents cybersecurity

AI in Cybersecurity: The Battle Between Agents and Humans

Wiz Research pitted AI agents against human hackers in web hacking challenges. Discover AI's surprising capabilities and limitations in cybersecurity for 2026. Read the full findings!

By Alan V Gutnov February 4, 2026 4 min read
common.read_full_article