Key Takeaways
- Microsoft has issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability (CVE-2026-21509) with a CVSS score of 7.8 out of 10.0.
- The vulnerability allows an unauthorized attacker to bypass a security feature locally in Microsoft Office by sending a specially crafted Office file and convincing recipients to open it.
- Customers running Office 2021 and later will be automatically protected via a service-side change, while those running Office 2016 and 2019 need to install specific updates.
- Mitigation steps include making a Windows Registry change to prevent exploitation of the vulnerability.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
Introduction to the Vulnerability
Microsoft has recently released out-of-band security patches to address a high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509. This vulnerability has a CVSS score of 7.8 out of 10.0, indicating a significant potential impact. The vulnerability is described as a security feature bypass in Microsoft Office, which allows an unauthorized attacker to bypass a security feature locally. This is achieved by relying on untrusted inputs in a security decision, which can be exploited by sending a specially crafted Office file and convincing recipients to open it.
Exploitation and Attack Vector
The exploitation of the flaw relies on an attacker sending a specially crafted Office file and convincing recipients to open it. However, it is noted that the Preview Pane is not an attack vector, reducing the risk of exploitation. The vulnerability can be exploited locally, and successful exploitation would allow an attacker to bypass the security feature in Microsoft Office. The exact nature and scope of attacks exploiting CVE-2026-21509 have not been shared by Microsoft, but the company has credited the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team for discovering the issue.
Patch and Mitigation
To address the vulnerability, Microsoft has released patches for Office 2016 and 2019, which need to be installed by customers. The patches are specific to the edition and architecture of the Office software, with the following updates required: Microsoft Office 2019 (32-bit edition) – 16.0.10417.20095, Microsoft Office 2019 (64-bit edition) – 16.0.10417.20095, Microsoft Office 2016 (32-bit edition) – 16.0.5539.1001, and Microsoft Office 2016 (64-bit edition) – 16.0.5539.1001. For customers running Office 2021 and later, the protection will be automatically applied via a service-side change, but they will need to restart their Office applications for the change to take effect. Additionally, Microsoft has provided mitigation steps, which involve making a Windows Registry change to prevent exploitation of the vulnerability.
Mitigation Steps
The mitigation steps involve making a Windows Registry change, which can be done by following the steps outlined by Microsoft. These steps include taking a backup of the Registry, exiting all Microsoft Office applications, starting the Registry Editor, locating the proper registry subkey, adding a new subkey, and adding a REG_DWORD hexadecimal value called "Compatibility Flags" with a value of 400. After completing these steps, the Registry Editor can be exited, and the Office application can be started. This mitigation step is recommended for customers who are unable to apply the patch immediately.
CISA Response
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog. This requires Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026. The addition of the vulnerability to the KEV catalog highlights the significance of the vulnerability and the need for prompt action to address it. The CISA response also emphasizes the importance of keeping software up-to-date and applying patches in a timely manner to prevent exploitation of known vulnerabilities.
Conclusion
In conclusion, the high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509, poses a significant risk to customers. The vulnerability can be exploited by sending a specially crafted Office file and convincing recipients to open it, allowing an attacker to bypass a security feature locally. Microsoft has released patches to address the vulnerability, and customers are advised to apply the patches immediately. Additionally, mitigation steps are available for customers who are unable to apply the patch immediately. The response from CISA highlights the importance of addressing known vulnerabilities promptly, and customers are advised to prioritize the application of patches to prevent exploitation of the vulnerability.