Shortly after its January Patch Tuesday release, addressing 114 vulnerabilities, including a zero-day in Windows Desktop Manager (CVE-2026-20805), Microsoft rushed out an emergency out-of-band update to fix another bug under active exploitation. This time, attackers are targeting CVE-2026-21509, a Microsoft Office zero-day that allows threat actors to bypass built-in security features.
In view of the exploitation cases confirmed by Microsoft, the flaw has been promptly added to the CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring US federal civilian agencies to patch it by February 16, 2026.
Microsoft products continue to be a juicy target for zero-day exploits, with 41 vulnerabilities identified as zero-days last year, 24 of which were leveraged for in-the-wild attacks, according to Tenable. The Windows operating system and Office components remain the primary attack vectors, with this trend persisting into 2026.
Sign up for SOC Prime Platform, aggregating the world’s largest detection intelligence dataset and offering a complete product suite that empowers SOC teams to seamlessly handle everything from detection to simulation. The Platform features a large collection of rules addressing critical exploits and cyber threats of any sophistication. Just press Explore Detections and immediately drill down to a relevant detection stack filtered by “CVE” tag.
All rules are mapped to the latest MITRE ATT&CK® framework v18.1 and are compatible with multiple SIEM, EDR, and Data Lake platforms. Additionally, each rule comes packed with broad metadata, including CTI references, attack flows, audit configurations, and more.
Cyber defenders can also use Uncoder AI to streamline their detection engineering routine. Turn raw threat reports into actionable behavior rules, test your detection logic, map out attack flows, turn IOCs into hunting queries, or instantly translate detection code across languages backed by the power of AI and deep cybersecurity expertise behind every step.
CVE-2026-21509 Analysis
On January 26, 2026, Microsoft issued an advisory detailing a security feature bypass vulnerability affecting Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise.
The security issue arises from Microsoft Office’s reliance on untrusted inputs in security decisions. This allows unauthenticated local hackers to bypass a security feature. Specifically, CVE-2026-21509 allows threat actors to bypass OLE mitigations in Microsoft 365 and Office, exposing users to vulnerable COM/OLE controls.
Exploitation typically involves convincing a user to open a malicious Office file sent by the attacker. While Microsoft notes that the Preview Pane is not directly an attack vector, the vulnerability can still be abused through low-complexity, user-interaction attacks.
Microsoft credits its internal cybersecurity research teams for vulnerability disclosure, sharing very little information on the exploitation cases. Security advisory only confirms exploitation attempts in the wild. Yet, a public PoC exploit is not available, suggesting that a limited number of threat actors might have leveraged the flaw in targeted campaigns.
Notably, Office 2021 and later users are automatically protected through a service-side fix after restarting the applications. Office 2016 and 2019 require either installing the upcoming security update or manually applying a registry change to block vulnerable COM/OLE controls. This involves adding a specific subkey under the COM Compatibility registry node and setting a Compatibility Flags DWORD value to 400. Users should back up the registry before making any changes and restart Office for the protections to take effect.
Organizations that rely on corresponding Microsoft Office products are urged to apply the patches immediately or follow the mitigation steps described in the advisory. Also, by enhancing the defenses with SOC Prime’s AI-Native Detection Intelligence Platform, SOC teams can source detection content from the largest and up-to-date repository, seamlessly adopt the full pipeline from detection to simulation into their security processes, orchestrate workflows in their natural language, and smoothly navigate the ever-changing threat landscape while strengthening defenses at scale.
The post CVE-2026-21509: Actively Exploited Microsoft Office Zero-Day Forces Emergency Patch appeared first on SOC Prime.
