Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files

News
By published

Microsoft forced to issue an emergency patch

Microsoft Office
(Image credit: Shutterstock / monticello)
  • Microsoft issues emergency patch for Office zero-day CVE-2026-21509
  • Vulnerability allows attackers to bypass OLE mitigations and execute malware
  • CISA adds flaw to KEV catalog; exploitation details remain undisclosed

Microsoft has issued an emergency patch to fix a high-severity Office vulnerability that is being exploited in the wild as a zero-day.

The bug is described as a security bypass flaw: “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the National Vulnerability Database (NVD) explains.

In other words, Office was making security decisions based on information it shouldn’t fully trust, and that was exploited by cybercriminals to execute malware, steal login credentials, and move laterally through the network.

How to patch and work around the bug

It was said that the vulnerability is being actively exploited in the wild, and the US Cybersecurity and Infrastructure Security Agency (CISA) already added it to its Known Exploited Vulnerabilities (KEV) catalog.

However, Microsoft did not say who the threat actors are, or who the victims were. We also don’t know what the scope of the campaign is, or if it already resulted in meaningful data theft, or possibly ransomware attacks.

The bug is tracked as CVE-2026-21509 and was given a severity score of 7.8/10 (high).

"This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls," Microsoft said in a security advisory.

Users running Office 2021 and later don’t have to do anything aside from restarting their Office applications, since the patch will be made server-side. Those running Office 2016 and 2019, will need to install these updates:

Microsoft Office 2019 (32-bit edition) - 16.0.10417.20095

Microsoft Office 2019 (64-bit edition) - 16.0.10417.20095

Microsoft Office 2016 (32-bit edition) - 16.0.5539.1001

Microsoft Office 2016 (64-bit edition) - 16.0.5539.1001

Those that cannot install the patches should make changes in Windows Registry, as mitigation. Microsoft has provided a step-by-step guide which can be found on this link.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.