Microsoft confirmed active exploitation of CVE-2026-21509, a zero-day vulnerability scoring 7.8 on the CVSS scale, affecting Office 2016 through Microsoft 365 Enterprise. The company rushed emergency patches on January 26, 2026, though Office 2016 and 2019 users still await fixes and must rely on manual registry modifications for now. Exploitation requires opening malicious files—the Preview Pane won’t trigger it. This zero-day emerged alongside 113 other vulnerabilities patched in January’s Patch Tuesday, including three additional exploited flaws demanding immediate attention from organizations seeking thorough protection details.

Microsoft has confirmed that attackers are actively exploiting a zero-day vulnerability in Office applications, prompting the company to release emergency out-of-band security updates on January 26, 2026. The security feature bypass flaw, tracked as CVE-2026-21509, affects virtually every modern Office version and has earned a CVSS score of 7.8—serious enough to warrant immediate action from organisations worldwide.

The vulnerability exists because Office relies on untrusted inputs when making security decisions, effectively allowing attackers to bypass OLE mitigations designed to protect against vulnerable COM and OLE controls. Think of it as a bouncer at an exclusive club checking IDs against a list provided by the very people trying to sneak in.

The exploitation mechanism requires user interaction, meaning attackers must convince targets to open malicious Office files. Fortunately, the Preview Pane isn’t an attack vector, so accidentally hovering over a suspicious email won’t trigger the exploit.

Affected products span the entire Office ecosystem: Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise are all vulnerable. The good news? Patches are already available for Office LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. The less-than-ideal news: updates for Office 2016 and 2019 remain “forthcoming,” though Microsoft promises they’ll arrive soon.

For those running Office 2021 or later, protection comes via a service-side change that kicks in after restarting your applications. Yes, really—sometimes the old “turn it off and on again” advice actually solves critical security problems.

Users stuck on older versions without patches can implement a manual registry modification that adds a COM Compatibility key with specific Compatibility Flags. Standard warning applies: back up your registry before making changes unless you enjoy troubleshooting mysterious system failures. Before editing the registry, ensure all Microsoft Office applications are closed to prevent conflicts or corruption during the modification process.

This zero-day emerged during January 2026’s Patch Tuesday, which addressed a staggering 113 to 114 vulnerabilities across Microsoft’s product portfolio. Three zero-days received patches that month, including CVE-2026-20805, a Desktop Window Manager information disclosure flaw with a CVSS score of 5.5 that earned a spot on CISA’s Known Exploited Vulnerabilities catalog. Federal agencies must patch that one by February 3, 2026.

Two additional Office RCE vulnerabilities—CVE-2026-20952 and CVE-2026-20953—scored Critical ratings with CVSS 8.4, though exploitation appears less likely. Security experts recommend risk-based prioritization when evaluating these threats, as vendor severity ratings may not fully capture the urgency required for proper defense.

The January release showcased Microsoft’s ongoing security challenges: 8 Critical vulnerabilities, 57 elevation of privilege flaws representing roughly half of all patches, and 22 remote code execution issues.

For organisations navigating this security environment, the message is clear—patch immediately where possible, implement registry mitigations for unsupported versions, and maintain healthy scepticism toward unsolicited Office documents. Your network’s security depends on it.

Final Thoughts

Microsoft’s recent emergency patch underscores a critical issue: zero-day vulnerabilities in cybersecurity pose significant risks, allowing attackers to exploit unprotected systems. Organizations that have not updated their Office installations are leaving themselves vulnerable. To mitigate these risks, it’s essential to activate automatic updates, keep a close eye on threat intelligence, and treat every security bulletin as urgent.

The Virus Removal Brisbane team can help you stay protected by ensuring your systems are up to date and secure. Don’t let vulnerabilities put your data at risk—click on our contact us page to get in touch and safeguard your organization today!