Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks

Microsoft has released patches for CVE-2026-21509, a newly disclosed Office zero-day vulnerability that can be exploited to bypass security features.

The tech giant’s advisory for CVE-2026-21509 mentions that it’s aware of active exploitation.

The vulnerability and the in-the-wild attacks were discovered by Microsoft’s own security researchers, but the company has yet to share any information on the malicious activity.

According to Microsoft’s description of the zero-day, “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.”

The company also clarified that the vulnerability “bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls”.

Exploitation requires the attacker to convince the targeted user to open a malicious Office file.

The requirement for social engineering, combined with the exploit’s complexity and the potential need for a multi-stage attack chain ...