Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-21509

Published 2026-01-26
Updated 3 months ago
Vendor/s
Microsoft
Product/s
Office
Version/s
-
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.8
/ 10
High
Severity Details
Base score
7.8 High
Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2026-21509 is a high-severity security bypass in Microsoft Office (CVSS 7.8) actively exploited in the wild. Update Office 2016-2024 and 365 Apps now.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
365_apps - - vulnerable
365_apps - - vulnerable
office 2016 2016 vulnerable
office 2016 2016 vulnerable
office 2019 2019 vulnerable
office 2019 2019 vulnerable
office_long_term_servicing_channel 2021 2021 vulnerable
office_long_term_servicing_channel 2021 2021 vulnerable
office_long_term_servicing_channel 2024 2024 vulnerable
office_long_term_servicing_channel 2024 2024 vulnerable

Related weakness (CWE)

CWE-807

Remediation plan

1

Apply official patches

Visit the Microsoft Security Update Guide for CVE-2026-21509 to download and install the specific security updates for your version of Office.

2

Update affected systems

Ensure all installations of Microsoft Office 2016, 2019, 2021 LTSC, 2024 LTSC, and Microsoft 365 Apps are updated to the latest build versions provided by the vendor.

3

Restrict access

Implement the principle of least privilege (PoLP) to limit local user permissions and utilize Windows Defender Exploit Guard to reduce the attack surface for Office applications.

4

Monitor for exploitation

Use Endpoint Detection and Response (EDR) tools to monitor for unusual Office process behaviors, such as unexpected child process spawning or unauthorized modifications to security-related registry keys.

Detection Guidance

Detection should focus on identifying anomalous behavior within Microsoft Office processes. Monitor for Event ID 4688 (Process Creation) where Office applications like Word or Excel initiate suspicious command-line arguments or bypass standard security prompts. Additionally, audit logs for changes to Office security settings and look for indicators of CWE-807 exploitation, such as the manipulation of environment variables or configuration files used in security decision-making processes.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 Vendor Advisory https://www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-office-security-feature-bypass-vulnerability Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-office-security-feature-bypass-vulnerability Mitigation Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial