🟢 CVE-2026-21509

CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office applications that requires local access and user interaction (AV:L/UI:R). Despite being in CISA KEV, it primarily affects client-side Office applications through malicious documents rather than internet-facing servers.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Execution
ATT&CK Tactic
T1204 — User Execution
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2026-01-26

Added to CISA KEV: 2026-01-26 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-21509 is a high-severity security feature bypass vulnerability in Microsoft Office that was actively exploited in the wild as a zero-day at the beginning of 2026 [3] [6].

Active Exploitation and Threat Actor Usage
The vulnerability was actively exploited in the wild, most notably by the threat actor APT28 (also known as Fancy Bear) in a campaign identified as "Operation Neusploit" [1]. This campaign primarily targeted entities in Central and Eastern European regions [1]. There is no widespread evidence linking this specific CVE to common ransomware-as-a-service (RaaS) operations; it was primarily utilized in targeted, espionage-focused attacks [1].
Attack Method and Requirements
  • Method: The vulnerability stems from a reliance on untrusted inputs when making security decisions within Microsoft Office, specifically involving OLE (Object Linking and Embedding) objects [2] [3].
  • Execution: Attackers leveraged specially crafted files—often Rich Text Format (RTF) documents—to trigger the bypass [1].
  • Requirements: Exploitation is local in nature, requiring the victim to open a malicious document [2]. As such, it typically relies on social engineering to entice a user to open the file.
Impact
Successful exploitation allows an unauthorized attacker to bypass security features, which can be used as part of a multi-stage infection chain to deliver malicious payloads, such as backdoors, onto the victim's system [1].
Affected Versions and Mitigation
  • Affected Products: The vulnerability affects a wide range of Microsoft Office versions, starting from Office 2016 through more recent releases [4].
  • Status: Microsoft released out-of-band security updates in late January 2026 to address this flaw [6]. Organizations are advised to ensure all Office installations are updated to the latest build versions provided by Microsoft to mitigate the risk [5])?kagi_q=CVE-2026-21509.

Sources

  1. Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz

    In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver maliciou…

  2. NVD - CVE-2026-21509

    An official website of the United States government NVD MENU ... Description. Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

  3. CVE-2026-21509: Microsoft Office Zero-Day Active Exploit

    Microsoft patches CVE-2026-21509, a high-severity Office zero-day actively exploited in the wild. Learn about the OLE bypass, ...

  4. [PSA] CVE-2026-21509 - Microsoft Office Security Feature ... - Reddit

    Looks like Microsoft has released updates for all Office version starting with 2016 to fix a zero day vulnerability that is being exploited ...

  5. Microsoft Office vulnerability (CVE-2026-21509)

    Regarding CVE-2026-21509, does anyone know the fixed build version for M365 Enterprise? The official MSRC guide and the Office security update ...

  6. Microsoft Office Zero-Day (CVE-2026-21509) - The Hacker News

    Microsoft released out-of-band patches for an actively exploited Microsoft Office zero-day, CVE-2026-21509, a security feature bypass flaw.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed