Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks

Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks

Posted on By CWS

Microsoft has launched patches for CVE-2026-21509, a newly disclosed Workplace zero-day vulnerability that may be exploited to bypass security measures.

The tech large’s advisory for CVE-2026-21509 mentions that it’s conscious of lively exploitation. 

The vulnerability and the in-the-wild assaults had been found by Microsoft’s personal safety researchers, however the firm has but to share any data on the malicious exercise.

In line with Microsoft’s description of the zero-day, “Reliance on untrusted inputs in a safety resolution in Microsoft Workplace permits an unauthorized attacker to bypass a safety function domestically.”

The corporate additionally clarified that the vulnerability “bypasses OLE mitigations in Microsoft 365 and Microsoft Workplace which shield customers from susceptible COM/OLE controls”.

Exploitation requires the attacker to persuade the focused person to open a malicious Workplace file. Commercial. Scroll to proceed studying.

The requirement for social engineering, mixed with the exploit’s complexity and the potential want for a multi-stage assault chain, signifies that this zero-day is getting used for focused espionage or different high-value operations relatively than broad, opportunistic campaigns.

SecurityWeek has reached out to Microsoft for extra data and can replace this text if the corporate responds.

Microsoft has launched patches for all affected variations of Workplace, together with 2016, 2019, LTSC 2024, LTSC 2021, and Microsoft 365 Apps for Enterprise.

Mitigations are additionally obtainable for customers who can’t instantly replace their Workplace installations. 

The cybersecurity company CISA has added CVE-2026-21509 to its Recognized Exploited Vulnerabilities (KEV) catalog, instructing authorities organizations to deal with it by February 16.

Microsoft’s January 2026 Patch Tuesday updates resolved greater than 110 vulnerabilities, together with a Home windows zero-day whose exploitation was found by the seller’s personal researchers. No data has been shared on these assaults both. 

Associated: Microsoft Patches 57 Vulnerabilities, Three Zero-Days

Associated: RedVDS Cybercrime Service Disrupted by Microsoft and Legislation Enforcement

Associated: New ‘Reprompt’ Assault Silently Siphons Microsoft Copilot Information

Security Week News Tags:, , , , , ,

Related Posts

Unauthenticated RCE Flaw Patched in DrayTek Routers Unauthenticated RCE Flaw Patched in DrayTek Routers Security Week News
In Other News: Nvidia Says No to Backdoors, Satellite Hacking, Energy Sector Assessment In Other News: Nvidia Says No to Backdoors, Satellite Hacking, Energy Sector Assessment Security Week News
DOJ Antitrust Review Clears Google’s Billion Acquisition of Wiz DOJ Antitrust Review Clears Google’s $32 Billion Acquisition of Wiz Security Week News
F5 Hack: Attack Linked to China, BIG-IP Flaws Patched, Governments Issue Alerts  F5 Hack: Attack Linked to China, BIG-IP Flaws Patched, Governments Issue Alerts  Security Week News
HeroDevs Raises 5 Million to Secure Deprecated OSS HeroDevs Raises $125 Million to Secure Deprecated OSS Security Week News
UAE’s K2 Think AI Jailbroken Through Its Own Transparency Features UAE’s K2 Think AI Jailbroken Through Its Own Transparency Features Security Week News