MICROSOFT has rushed out an emergency patch for a zero-day vulnerability in Microsoft Office and Microsoft 365 that attackers are actively exploiting. The bug, CVE-2026-21509, carries a CVSS of 7.8 and can bypass protections against unsafe COM/OLE behaviour to allow arbitrary code execution on affected systems.
According to CISA, the agency added the vulnerability to its known exploited vulnerabilities (KEV) catalog and set a February 16 deadline for federal executive civilian agency patches or to discontinue use of the affected products. Exploitation would require either system access or a user being persuaded to open a malicious Office file, with attacks not triggered merely by viewing the file in Preview Pane.
Microsoft’s advisory notes that Office 2021 and later versions can be mitigated by restarting apps after the server-side fix, while Office 2016 and 2019 users must install the security update to protect their systems. The article also contextualises Office’s ubiquity as a driver for attackers, highlighting a pattern of targeted exploitation across related CVEs and social engineering-based attack chains.