Microsoft Releases Out-of-Band Security Update for Microsoft Office
CVE-2026-21509 is under active exploitation and could be used to bypass OLE mitigations in Microsoft 365 and Microsoft Office
Summary
CVE-2026-21509 is under active exploitation and could be used to bypass OLE mitigations in Microsoft 365 and Microsoft Office
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2026-21509
CVE-2026-21509 has been added to the US Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities Catalog (KEV).
The National CSOC assesses further exploitation as highly likely.
Introduction
Microsoft has released an out-of-band security update to address an "important" severity vulnerability in Office and 365 Apps for Enterprise.
- CVE-2026-21509 is a "Reliance on Untrusted Inputs in a Security Decision" vulnerability with a CVSSv3 score of 7.8. Successful exploitation could allow an unauthorised attacker to bypass a security feature locally by convincing a user to open a malicious Office file.
Remediation advice
Affected organisations are encouraged to review Microsoft's Security Update and apply the relevant updates as soon as possible.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 27 January 2026 11:50 am