What is Microsoft Office?
Microsoft Office is the dominant productivity suite in enterprise environments worldwide, used by hundreds of millions of people for document creation, spreadsheets, and presentations. Office's OLE (Object Linking and Embedding) feature allows documents to embed or link external objects — a powerful data-sharing mechanism that has historically been a prime attack surface. Security features like Protected View and "Enable Content" prompts exist specifically to warn users before executing potentially malicious embedded content. Bypassing these warnings allows attackers to achieve code execution silently when a user simply opens a crafted document.
Overview
CVE-2026-21509 is a security feature bypass vulnerability (CWE-807: Reliance on Untrusted Inputs in a Security Decision) in Microsoft Office's OLE handling. Attackers craft a malicious Office document that manipulates the document's internal XML structure to mark a malicious OLE object as trusted, causing Office to execute embedded content without displaying the "Enable Content" or Protected View prompts. No macros are required — exploitation is triggered automatically when the document is opened. Microsoft issued an emergency out-of-band patch on 26 January 2026 after confirming active zero-day exploitation by APT28 (Fancy Bear).
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Microsoft 365 Apps for Enterprise (32-bit & 64-bit) | All versions before Jan 26, 2026 patch | Jan 26, 2026 out-of-band update |
| Microsoft Office LTSC 2024 | All versions before patch | Jan 26, 2026 update |
| Microsoft Office LTSC 2021 | All versions before patch | Jan 26, 2026 update |
| Microsoft Office 2019 | All versions before patch | Jan 26, 2026 update (interim workaround) |
| Microsoft Office 2016 | All versions before patch | Jan 26, 2026 update (interim workaround) |
Note: Office 2016 and 2019 received interim mitigations while a final patch was prepared. Some versions may be end-of-life (EoL) — Microsoft advised discontinuing use of unsupported versions.
Technical Details
The vulnerability (CWE-807: Reliance on Untrusted Inputs in a Security Decision) exists in how Office's OLE handler evaluates trust during document load. Office documents (OOXML format) use XML to describe embedded objects. The OLE handler reads trust flags from this XML structure to decide whether to silently execute embedded content or prompt the user. By crafting the document XML to assert that a malicious OLE object is already trusted, an attacker bypasses the "Enable Content" and Protected View decision logic entirely.
Exploit delivery used WebDAV — the malicious document fetches an OLE payload from an attacker-controlled server, meaning the payload itself does not need to be embedded in the document. This simplifies evasion since the document itself may appear clean to static analysis. No macros, scripts, or user interaction beyond opening the file is required.
Discovery
Discovered by Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and the Office Product Group Security Team. The zero-day was identified through threat intelligence before an external report was received.
Exploitation Context
APT28 (Fancy Bear, UAC-0001) — a Russian state-sponsored threat actor — weaponized this zero-day within 24 hours of the patch becoming public, in a campaign dubbed "Operation Neusploit" by researchers. Targets included Ukrainian government agencies, European military and government entities in Poland, Slovenia, Turkey, Greece, and the UAE. Payloads were delivered via phishing emails with crafted Office attachments. APT28 used cloud-based command-and-control infrastructure to evade detection. CISA added the CVE to the KEV catalog on the same day as the emergency patch release.
Remediation
- Apply the emergency patch immediately — install the 26 January 2026 out-of-band update via Windows Update or the Microsoft Update Catalog.
- For Office 2016/2019, apply the interim mitigation per Microsoft's advisory while awaiting the final patch.
- Disable OLE object execution in Office via Group Policy: Computer Configuration → Administrative Templates → Microsoft Office → Security → Disable all OLE server activation.
- Enable Protected View for files from the internet, email attachments, and potentially unsafe locations — enforced via Group Policy.
- Block WebDAV connections at the perimeter to prevent payload retrieval from attacker-controlled servers.
- Train users not to open unsolicited Office documents, particularly those received via email.
- Review email gateway rules to quarantine Office documents from external senders pending user review.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-21509 |
| Vendor / Product | Microsoft — Office |
| NVD Published | 2026-01-26 |
| NVD Last Modified | 2026-02-11 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-807 find similar ↗ |
| CISA KEV Added | 2026-01-26 |
| CISA KEV Deadline | 2026-02-16 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-01-26 | Microsoft releases out-of-band emergency patch; CVE published; added to CISA KEV catalog as active zero-day |
| 2026-02-16 | CISA BOD 22-01 remediation deadline |
| 2026-02-11 | NVD last modified |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2026-21509 | Vendor Advisory |
| NVD — CVE-2026-21509 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Reveals Actively Exploited Office Zero-Day, Provides Emergency Fix | News |
| APT28 Exploits Microsoft Office Flaw in Operation Neusploit | Security Research |
| Trellix — APT28 Stealthy Campaign Leveraging CVE-2026-21509 | Security Research |