Alerts
High Severity Vulnerability in Microsoft Office
28 January 2026
Microsoft has released emergency out-of-band security updates to address a high severity vulnerability (CVE-2026-21509) affecting their Microsoft Office products.
Background
Microsoft has released emergency out-of-band security updates to address a high severity vulnerability (CVE-2026-21509) affecting their Microsoft Office products.
Impact
Successful exploitation of the security feature bypass vulnerability could allow an attacker to bypass Microsoft Office security mitigations once a user is tricked into opening a malicious Office file. A local unauthenticated attacker can then gain access to the computer, and steal files or install malware.
Affected Products
The vulnerability affects the following products:
Microsoft Office 2016
Microsoft Office 2019
Microsoft Office LTSC 2021
Microsoft Office LTSC 2024
Microsoft 365 Apps for Enterprise
Known Exploitation
The vulnerability is reportedly being exploited in the wild.
Mitigation
Users and administrators running Microsoft Office 2021 and later versions are advised to restart their Office applications to be automatically secured. Users and administrators of Office 2016 and 2019 are advised to update to the latest version immediately.
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
https://nvd.nist.gov/vuln/detail/CVE-2026-21509
https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/