Microsoft · Office · CVE-2026-21509
**Name of the Vulnerable Software and Affected Versions**
Microsoft Office versions 2016 through 2019
Microsoft Office LTSC versions 2021 through 2024
Microsoft 365 Apps (affected versions not specified)
**Description**
This issue is caused by the reliance on untrusted inputs when making security decisions, which allows an unauthorized attacker to bypass security features locally. Specifically, the flaw enables the bypass of Object Linking and Embedding (OLE) security mechanisms. An attacker can exploit this by convincing a user to open a specially crafted document (such as RTF or DOC files), leading to the automatic execution of arbitrary code without further user interaction. This process often involves triggering a WebDAV connection to retrieve malicious payloads.
Real-world exploitation has been observed in sophisticated espionage campaigns by the threat group APT28 (Fancy Bear). These attacks have targeted military, government, diplomatic, and transportation entities across Ukraine, Slovakia, Romania, Poland, and other European nations. The exploitation chain has been used to deploy various payloads, including the "NotDoor" Outlook VBA backdoor, the "BeardShell" C++ implant, and the "Covenant Grunt" loader. The attackers have also utilized legitimate cloud services for command-and-control (C2) infrastructure to evade detection.
**Recommendations**
For Microsoft Office 2016, install security update KB5002713.
For Microsoft Office 2019, update to Build 10417.20095.
For Microsoft Office LTSC 2021 and 2024, install the February 2026 security update.
As a temporary mitigation for all affected versions, create a new registry subkey `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}` under the `COM Compatibility` node (located in `HKEY LOCAL MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility` or its corresponding 32-bit/ClickToRun paths) and add a `REG DWORD` value named `Compatibility Flags` set to `400` to block the vulnerable OLE component `Shell.Explorer.1`.