Office zero-day exploited in the wild forces Microsoft OOB patch

Another actively abused Office bug, another emergency patch – Office 2016 and 2019 users are left with registry tweaks instead of fixes.

Microsoft has issued an emergency Office patch after confirming a zero-day flaw is already being used in real world attacks.

The flaw, tracked as CVE-2026-21509, and slapped with a CVSS score of 7.8, falls into Microsoft's "security feature bypass" bucket. In practice, this means attackers can dodge protections that are supposed to stop unsafe legacy components from running. Those components include COM and OLE – old Windows plumbing that's been at the heart of document-based attacks for years and clearly hasn't earned its retirement yet.

According to Microsoft, exploitation doesn't hinge on the Office preview pane – often a red flag in past campaigns – but still requires little effort once a victim is persuaded to open a booby-trapped file. In its advisory, the company describes the ...