Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks

Posted on By CWS

Microsoft has launched patches for CVE-2026-21509, a newly disclosed Workplace zero-day vulnerability that may be exploited to bypass security measures.

The tech large’s advisory for CVE-2026-21509 mentions that it’s conscious of lively exploitation. 

The vulnerability and the in-the-wild assaults had been found by Microsoft’s personal safety researchers, however the firm has but to share any data on the malicious exercise.

In line with Microsoft’s description of the zero-day, “Reliance on untrusted inputs in a safety resolution in Microsoft Workplace permits an unauthorized attacker to bypass a safety function domestically.”

The corporate additionally clarified that the vulnerability “bypasses OLE mitigations in Microsoft 365 and Microsoft Workplace which shield customers from susceptible COM/OLE controls”.

Exploitation requires the attacker to persuade the focused person to open a malicious Workplace file. Commercial. Scroll to proceed studying.

The requirement for social engineering, mixed with the exploit’s complexity and the potential want for a multi-stage assault chain, signifies that this zero-day is getting used for focused espionage or different high-value operations relatively than broad, opportunistic campaigns.

SecurityWeek has reached out to Microsoft for extra data and can replace this text if the corporate responds.

Microsoft has launched patches for all affected variations of Workplace, together with 2016, 2019, LTSC 2024, LTSC 2021, and Microsoft 365 Apps for Enterprise.

Mitigations are additionally obtainable for customers who can’t instantly replace their Workplace installations. 

The cybersecurity company CISA has added CVE-2026-21509 to its Recognized Exploited Vulnerabilities (KEV) catalog, instructing authorities organizations to deal with it by February 16.

Microsoft’s January 2026 Patch Tuesday updates resolved greater than 110 vulnerabilities, together with a Home windows zero-day whose exploitation was found by the seller’s personal researchers. No data has been shared on these assaults both. 

Associated: Microsoft Patches 57 Vulnerabilities, Three Zero-Days

Associated: RedVDS Cybercrime Service Disrupted by Microsoft and Legislation Enforcement

Associated: New ‘Reprompt’ Assault Silently Siphons Microsoft Copilot Information

Security Week News Tags:, , , , , ,

Related Posts

ChatGPT Vulnerability Exposed Underlying Cloud Infrastructure Security Week News
UK Government Unveils New Cyber Action Plan Security Week News
Chrome to Distrust Chunghwa Telecom and Netlock Certificates Security Week News
Logitech Confirms Data Breach Following Designation as Oracle Hack Victim Security Week News
Browser Extensions Pose Serious Threat to Gen-AI Tools Handling Sensitive Data  Security Week News
Microsoft Unveils Security Enhancements for Identity, Defense, Compliance Security Week News