microsoft addresses critical vulnerability

Microsoft Urgently Fixes Critical Office Flaw Under Active Exploitation

ByRobert Krajnyk

Microsoft patched CVE-2026-21509, a critical zero-day vulnerability in Office that attackers actively exploited through malicious files targeting Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. The January update addresses over 100 vulnerabilities, including eight critical flaws, with some requiring immediate attention from federal agencies by February 3rd. Users must apply security update KB5002826 for Office 2016, whereas newer versions receive service-side fixes after restarting. Disabling Preview Pane offers additional protection, though it doesn’t trigger the exploit itself. The full scope of exploitation methods and mitigation strategies reveals why this patch demands urgent organizational attention.

Microsoft has patched a critical zero-day vulnerability in Office that attackers actively exploited in the wild, as part of a substantial January 2026 Patch Tuesday addressing up to 115 security flaws across its product lineup.

The exploited vulnerability, CVE-2026-21509, represents a security feature bypass affecting Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. Attackers weaponised this flaw by crafting malicious Office files that, once opened by unsuspecting users, circumvented OLE security protections—essentially picking the lock on a door Microsoft believed was secured.

Malicious Office files bypass OLE security protections through CVE-2026-21509, exploiting a critical zero-day flaw across multiple Office versions.

The good news? Preview Pane doesn’t trigger the exploit, so at least one defensive layer held.

This zero-day wasn’t alone. Microsoft also addressed CVE-2026-20805, a Desktop Window Manager information disclosure flaw exploited in the wild, which landed on CISA’s Known Exploited Vulnerabilities catalog with a federal remediation deadline of February 3, 2026. When CISA places something on their watchlist, you know it’s serious business.

Beyond the actively exploited flaws, January’s patch bundle included eight critical vulnerabilities and over 100 important ones spanning Windows, Office, SQL Server, and Azure. The Office family took a particularly hard hit with multiple remote code execution vulnerabilities.

CVE-2026-20952 scored an 8.4 CVSS rating due to a use-after-free flaw that could be triggered via malicious email links or previews. Excel wasn’t spared either—CVE-2026-20953 involves an untrusted pointer dereference and integer underflow requiring malicious file execution, while Word faces an out-of-bounds read issue.

What makes these Office vulnerabilities particularly concerning? They require minimal sophistication to exploit. An unauthenticated attacker sends a weaponised file or email link, a user opens it, and the attacker gains the same privileges as the logged-on user. If that happens to be an administrator account, well, the attacker just hit the jackpot.

Mitigation follows familiar territory but demands immediate action. Organisations running Office 2016 should deploy security update KB5002826, which resolves both RCE and elevation flaws.

Office 2021 and newer versions benefit from service-side fixes activated after restarting applications—a rare win for just turning it off and on again. Office 2019 users should watch for upcoming patches addressing CVE-2026-21509, while those running Office Online Server need to upgrade to build 16.0.10417.20083.

For the security-conscious, Microsoft recommends disabling Preview Pane as an additional precaution against non-interactive exploits. Registry modifications can block COM and OLE components, though backing up your registry before making changes remains essential. Users should add a specific COM Compatibility registry key along with the appropriate DWORD value to manually block vulnerable controls.

The January 2026 Patch Tuesday highlights a persistent reality: attackers continuously hunt for Office vulnerabilities as they work. These applications reside on millions of enterprise desktops, handling sensitive data and enjoying trusted status. Microsoft released the Security Update on January 14, maintaining their regular patch cycle despite the severity of the exploited vulnerabilities.

Your move is straightforward—patch immediately, or become another cautionary statistic.

Final Thoughts

Microsoft’s recent emergency patch for a critical Office flaw underscores the escalating issue of zero-day vulnerabilities and the rapid pace at which attackers exploit them. If your organization hasn’t updated Office yet, now is the crucial moment to act—delaying only increases the risk of compromise. As cyber threats become more sophisticated, relying solely on reactive patching is insufficient. This is where the Computer Hero Team can assist you. We offer layered defenses and proactive monitoring to protect your systems effectively. Remember, while this fix addresses one vulnerability, others may still exist. Don’t wait for a breach to happen—click on our contact us page to get in touch and strengthen your organization’s cybersecurity today!

Robert Krajnyk runs and own's several computer repair websites in the greater Brisbane area - along with offering remote support for customers who have just been scammed by viruses online through his website - Virusremovalaustralia.com.au. Robert was one of the youngest employees for IBM in Australia when he was hired at the age of 17 years old and the skills and knowledge he has learnt in this field has carried over into his own business. In his spare time Robert also had 20 years experience working with kids in care of the department which is something he really enjoys doing. Robert has also been featured on Channel 9 news in QLD for different ways people can speed up their computers.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *