Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

High Severity Vulnerability in Microsoft Office

28 January 2026

Microsoft has released emergency out-of-band security updates to address a high severity vulnerability (CVE-2026-21509) affecting their Microsoft Office products.

Background

Microsoft has released emergency out-of-band security updates to address a high severity vulnerability (CVE-2026-21509) affecting their Microsoft Office products.

Impact

Successful exploitation of the security feature bypass vulnerability could allow an attacker to bypass Microsoft Office security mitigations once a user is tricked into opening a malicious Office file. A local unauthenticated attacker can then gain access to the computer, and steal files or install malware.

Affected Products

The vulnerability affects the following products:

  • Microsoft Office 2016

  • Microsoft Office 2019

  • Microsoft Office LTSC 2021

  • Microsoft Office LTSC 2024

  • Microsoft 365 Apps for Enterprise

Known Exploitation

The vulnerability is reportedly being exploited in the wild.

Mitigation

Users and administrators running Microsoft Office 2021 and later versions are advised to restart their Office applications to be automatically secured. Users and administrators of Office 2016 and 2019 are advised to update to the latest version immediately.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

https://nvd.nist.gov/vuln/detail/CVE-2026-21509

https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/

Back to top