Microsoft deployed an emergency patch for CVE-2026-21509, a high-severity Office zero-day with a CVSS score of 7.8 that hackers are actively exploiting through phishing campaigns. The vulnerability bypasses OLE security protections, allowing attackers to execute malicious code when users open weaponized Office files. Office 2021 and Microsoft 365 receive automatic service-side fixes, whereas 2016 and 2019 users must manually apply registry modifications until official updates arrive. Security teams face mounting pressure as January's Patch Tuesday addressed 114 vulnerabilities total, including three zero-days. The full scope of this security crisis reveals why immediate action isn't optional.
Microsoft has issued emergency security updates to patch CVE-2026-21509, a zero-day vulnerability in Office that attackers are actively exploiting in the wild. The flaw, carrying a CVSS score of 7.8, bypasses OLE security protections and exposes users to vulnerable COM and OLE controls—essentially giving attackers a skeleton key to Office's front door.
The vulnerability affects a wide swath of Microsoft's productivity suite, including Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. What makes this particularly nasty is its reliance on untrusted inputs, allowing unauthorised attackers to bypass security features locally once a user opens a malicious Office file. Yes, that means someone still has to click—this isn't a completely hands-off attack.
At least there's a silver lining: the Office Preview Pane isn't an attack vector here, unlike some other Office vulnerabilities lurking in the wild.
Microsoft has kept technical exploitation details close to the vest, likely to slow copycat attacks. What we do know is that phishing campaigns are already weaponising malicious Office documents to execute code on victim machines. The company deployed out-of-band security updates to address the threat, moving faster than the typical Patch Tuesday cadence as real-world attacks are happening right now.
The fix rollout varies by version. Office 2021 and later receive automatic protection via a service-side fix after restarting the application—convenient for those on newer builds. Office 2016 and 2019 users, on the other hand, must wait for an upcoming security update or apply a manual registry modification as an interim workaround.
That registry fix involves adding a COM Compatibility key with specific Compatibility Flags DWORD values, and Microsoft strongly recommends backing up your registry before making changes. Restart Office afterwards, naturally. Microsoft advised users to back up the registry before implementing manual changes to prevent potential system issues.
This zero-day arrives amid an exceptionally heavy January 2026 Patch Tuesday that addressed 114 vulnerabilities total, effectively doubling the previous month's patch count. Amongst those are three zero-days—one actively exploited, two publicly disclosed before patches dropped—plus eight Critical vulnerabilities spanning remote code execution and elevation-of-privilege flaws. The broader update cycle also tackled 22 Remote Code Execution vulnerabilities across Microsoft's product portfolio.
Office itself faces additional critical threats this cycle, including Word CVE-2026-20944 and Excel CVE-2026-20955.
Elevation-of-privilege vulnerabilities dominated with 57 patches, many targeting kernel drivers. LSASS-related flaws like CVE-2026-20854 facilitate credential theft and lateral movement, making them prime targets for sophisticated attackers. Other Office bugs, such as CVE-2026-20952, introduce Preview Pane vectors that raise no-interaction risks elsewhere in the ecosystem.
Security teams should install out-of-band updates immediately and prioritise patching Critical RCE flaws across Windows LSASS, Word, and Excel. For those managing Office 2016 or 2019 deployments lacking the full patch, deploy that manual registry mitigation now. With vulnerability volume doubled and active exploitation confirmed, waiting isn't an option.
Final Thoughts
Microsoft has urgently patched a critical zero-day vulnerability in Office that was actively exploited by hackers, highlighting the ongoing security challenges facing businesses using Office applications. This incident demonstrates the constant threat landscape where attackers specifically target widely-used Office software, particularly as remote and hybrid work environments increase document sharing across networks.
Home Computer Technician can help your business stay protected against these critical security threats by providing immediate patch management services, security updates installation, and comprehensive system monitoring. Our technicians ensure your Office applications and entire system remain current with the latest security patches, preventing exploitation of dangerous vulnerabilities like this zero-day attack.
Don't leave your business exposed to cyber threats. Contact us today through our contact page to schedule professional security updates and protect your systems from active exploits targeting Office applications.