Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files

• Microsoft issues emergency patch for Office zero-day CVE-2026-21509
• Vulnerability allows attackers to bypass OLE mitigations and execute malware
• CISA adds flaw to KEV catalog; exploitation details remain undisclosed

Microsoft has issued an emergency patch to fix a high-severity Office vulnerability that is being exploited in the wild as a zero-day.

The bug is described as a security bypass flaw: “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the National Vulnerability Database (NVD) explains.

In other words, Office was making security decisions based on information it shouldn’t fully trust, and that was exploited by cybercriminals to execute malware, steal login credentials, and move laterally through the network.