Updated on February 3rd, 2026: New details have come to light regarding how attackers exploit this vulnerability. We’ve added a section explaining it down below.
Microsoft recently published a security advisory warning of a newly discovered zero-day vulnerability in Office applications. The vulnerability, designated CVE-2026-21509, is classified as “high” risk.
According to the advisory, this vulnerability can be exploited to bypass security features in various versions of Office, including Microsoft Office 2016, 2019, 2021 LTSC, and 2024 LTSC. Users are urged to install the emergency updates provided by Microsoft as soon as possible.
Microsoft explains that attackers can abuse this vulnerability to take control of COM/OLE controls, which are used for interaction between different Windows applications.
How does the attack work?
According to new information, attackers have already been able to exploit this vulnerability to carry out targeted attacks on Ukrainian authorities and EU institutions.
One report (machine translated) states that a file named “Consultation_Topics_Ukraine(Final).doc” containing an exploit for this vulnerability was discovered as early as January 29th, 2026, and was created the day after Microsoft disclosed the vulnerability.
Opening the document establishes a network connection to an external resource using the WebDAV protocol. This is followed by the downloading of a file named “Shortcut,” which contains program code. The attackers could use this executable file to terminate and start processes on the target system. Ultimately, if successful, they would have been able to remotely control the system.
In addition to this file, three more documents with a similar exploit were discovered in January 2026, which were distributed via email.
Where to get the emergency updates
If you’re using a current version of Office (2021 LTSC or newer), you’ll receive the relevant security updates automatically. To be on the safe side, you may want to restart the installed applications. The build number of the updated Office version is 16.0.10417.20095.
Older versions of Office must be updated manually. You can obtain the necessary updates from the Microsoft Update Catalog. Here are the links for the Office 2016 update and Office 2019 update.
If you’re unable to update your Office for whatever reason, Microsoft offers an alternative (but more advanced) solution that involves editing the Windows Registry. You can find it under the “Mitigations” section on the security advisory warning for this vulnerability.
Updated on February 3rd, 2026: New details have come to light regarding how attackers exploit this vulnerability. We’ve added a section explaining it down below.
Microsoft recently published a security advisory warning of a newly discovered zero-day vulnerability in Office applications. The vulnerability, designated CVE-2026-21509, is classified as “high” risk.
According to the advisory, this vulnerability can be exploited to bypass security features in various versions of Office, including Microsoft Office 2016, 2019, 2021 LTSC, and 2024 LTSC. Users are urged to install the emergency updates provided by Microsoft as soon as possible.
Microsoft explains that attackers can abuse this vulnerability to take control of COM/OLE controls, which are used for interaction between different Windows applications.
How does the attack work?
According to new information, attackers have already been able to exploit this vulnerability to carry out targeted attacks on Ukrainian authorities and EU institutions.
One report (machine translated) states that a file named “Consultation_Topics_Ukraine(Final).doc” containing an exploit for this vulnerability was discovered as early as January 29th, 2026, and was created the day after Microsoft disclosed the vulnerability.
Opening the document establishes a network connection to an external resource using the WebDAV protocol. This is followed by the downloading of a file named “Shortcut,” which contains program code. The attackers could use this executable file to terminate and start processes on the target system. Ultimately, if successful, they would have been able to remotely control the system.
In addition to this file, three more documents with a similar exploit were discovered in January 2026, which were distributed via email.
Where to get the emergency updates
If you’re using a current version of Office (2021 LTSC or newer), you’ll receive the relevant security updates automatically. To be on the safe side, you may want to restart the installed applications. The build number of the updated Office version is 16.0.10417.20095.
Older versions of Office must be updated manually. You can obtain the necessary updates from the Microsoft Update Catalog. Here are the links for the Office 2016 update and Office 2019 update.
If you’re unable to update your Office for whatever reason, Microsoft offers an alternative (but more advanced) solution that involves editing the Windows Registry. You can find it under the “Mitigations” section on the security advisory warning for this vulnerability. Read More
Related posts:
Microsoft patches serious vulnerability in Office
If you have a Samsung SSD, you better update this app ASAP
7-Zip flaw lets hackers infect your PC with malware. Update ASAP!
Update Chrome ASAP! The first zero-day flaw of 2026 is patched
Update Chrome now to avoid a newly found zero-day vulnerability
Microsoft fixes critical Office zero-day security flaw. Update ASAP!