Microsoft has scrambled to release an out-of-band security patch for a high-severity zero-day vulnerability in Office that attackers are actively weaponising in the wild. The flaw, tracked as CVE-2026-21509 with a CVSS score of 7.8, allows threat actors to slip past critical security defences and execute malicious code on targeted systems.
The vulnerability stems from Office's dangerous reliance on untrusted inputs when making security decisions—a fundamental design weakness that bypasses OLE (Object Linking and Embedding) protections meant to block untrusted COM controls.
In practice, this means attackers can craft booby-trapped Office documents that, once opened by an unsuspecting victim, punch straight through Microsoft's security barriers.
What makes this particularly concerning is the active exploitation happening right now. Microsoft's own threat intelligence teams—including MSTIC, MSRC, and the Office Product Group Security Team—discovered both the vulnerability and the ongoing attacks, though the company has remained tight-lipped about who's behind the campaigns or which organisations are being targeted.
"We recommend impacted customers follow the guidance on our CVE page," Microsoft told SecurityWeek. "Additionally, Microsoft Defender has detections in place to block exploitation, and our default Protected View setting provides an extra layer of protection by blocking malicious files from the Internet."
The attack chain requires social engineering—victims must be tricked into opening a malicious Office file. However, the sophistication of the exploit and its apparent use in targeted operations suggest this isn't your typical spray-and-pray campaign. Security researchers believe the zero-day is being leveraged for espionage or high-value targeting rather than mass exploitation.
Who Needs to Act Immediately
The vulnerability affects Microsoft Office 2016, 2019, 2021, and Microsoft 365. Here's what you need to know:
Office 2021 and Microsoft 365 users benefit from an automatic service-side fix, but you must restart all Office applications for the protection to activate. Office 2016 and 2019 users face a more urgent situation—you're exposed until you manually install security updates or apply emergency registry-based mitigations.
To verify you're protected, check your Office build number (File → Account → About). The patched version is 16.0.10417.20095 or higher. If you're running an older build, update immediately.
The U.S. Cybersecurity and Infrastructure Security Agency has already added CVE-2026-21509 to its Known Exploited Vulnerabilities catalogue, mandating that federal agencies patch by February 16, 2026. That deadline should tell you everything about the severity of this threat.
For organisations that can't deploy patches immediately, Microsoft has provided a temporary workaround involving registry modifications to disable the vulnerable COM object (CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}). However, this is a stopgap measure—permanent patching remains the only reliable defence.
Bottom line: If you use Microsoft Office in any capacity, this vulnerability demands your immediate attention. The combination of active exploitation, available exploit code, and widespread Office deployment creates a perfect storm for potential compromise. Don't wait for the next wave of attacks to arrive in your inbox.