New Microsoft Office zero-day under active attack, patch now

Published: 28 January 2026
Last updated: 28 January 2026
Microsoft bugs, patches, vulnerabilities, windows
Image by Cybernews.

Microsoft’s Security Response Center pushed an urgent Patch Tuesday fix after a new zero-day targeting earlier versions of Microsoft Office 365 surfaced in active attacks and companies are being told to patch immediately.

Key takeaways:
  • Microsoft confirms hackers are already exploiting this Office zero-day vulnerability in real-world attacks.
  • CISA gives federal agencies until February 16 to patch or mitigate affected systems.
  • Office 2016 and 2019 users face the highest risk if they do not manually update.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

What’s more, the tech company says sophisticated threat actors are already actively exploiting the newly discovered security flaw, identified as CVE-2026-21509.

ADVERTISEMENT

The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to the agency’s Known Exploited Vulnerabilities (KEV) Catalog on Monday.

Active exploitation triggers emergency patch

With a CVSS severity index score of 7.8 out of 10, CISA warns users are at high risk if they don’t mitigate systems immediately – even mandating federal agencies install the fixes by a February 16th deadline.

Microsoft Office 365
Microsoft Office apps on smartphone. Image by Tada Images | Shutterstock

The bug, officially labeled Microsoft Office Security Feature Bypass Vulnerability, can allow an unauthorized attacker to bypass built-in security protections locally, leading to the exposure or modification of sensitive data, a system crash, or the execution of arbitrary code, the company said.

How Microsoft says to fix the Office zero-day

Microsoft clearly states that “an attacker would have to first send a malicious Office file and then convince the recipient to open it,” most likely through social engineering.

The vulnerability cannot be exploited simply by previewing the malicious file in the Windows File Preview Pane, the company reiterated.

ADVERTISEMENT

Microsoft Office versions affected by the security bypass vulnerability include:

  • Office 2016
  • Office 2019
  • Office 2021 or later

Microsoft says those running Office 2021 or later will be “automatically protected via a service-side update, but will be required to restart their Office applications for this to take effect."

Those running 2016 and 2019 will have to manually install the security update themselves by applying the provided registry keys.

The update addresses a vulnerability that bypasses OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls, it said.

Microsoft zero-day vulnerability
A zero-day vulnerability was discovered by the Microsoft Security Response Center on January 26th, 2025. microsoft.com

Microsoft also recommends IT teams planning to use the registry editor create a verified backup first, warning that “serious problems” could occur if the registry is modified incorrectly.

Microsoft had announced last year that, starting October 16th, 2025, Office 2016 and 2019 would be considered end-of-life legacy systems and no longer receive support.

Nation-state actors likely behind complex exploit

The tech giant revealed it has detected at least one confirmed instance of the CVE-2026-21509 vulnerability being exploited, according to its own Exploitability Index.

ADVERTISEMENT

Microsoft did not provide more information about the instance but noted in its disclosure that no ransomware activity was observed.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Meanwhile, researchers at Cytex posted on X Tuesday that the exploit shows hallmarks of "high-value targeting."

Cytex rattled off several "key characteristics" pointing to “state-sponsored or financially motivated espionage,” including the reliance on social engineering to deploy the exploit.

“The complexity suggests attackers are pursuing valuable data from specific organizations or individuals,” the security firm said, adding that the attackers are most likely using a multi-stage attack chain.

Microsoft is no stranger to sophisticated adversaries and their zero-days.

In November 2025, the Chinese-affiliated threat actor UNC6384 was discovered exploiting a previously unpatched zero-day in the wild to target European diplomats through highly targeted spearphishing campaigns that delivered malicious .LNK files.

And last April, Microsoft discovered a previously unpatched zero-day in its Windows Common Log File System (CLFS), allowing attackers to abuse already compromised systems, often via legitimate third-party websites, to escalate privileges.

That exploit was said to have been deployed by PipeMagic malware linked to the Russian threat group Storm-2460, also known as RansomEXX.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked