CVE-2026-21509

Name of the Vulnerable Software and Affected Versions Microsoft Office versions 2016, 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise.

Description This is a security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office that allows an unauthorized attacker to bypass security features locally by exploiting Object Linking and Embedding (OLE). The vulnerability is actively exploited by the Russia-linked APT28 (Fancy Bear/UAC-0001) group, who began weaponizing it within days of the patch release. Attackers are using specially crafted documents, including RTF files, to deliver malware such as MiniDoor, PixyNetLoader, and Covenant. The attacks target organizations in Ukraine, Slovakia, Romania, and other European countries. The exploitation involves bypassing OLE mitigations, potentially leading to arbitrary code execution. The vulnerability affects all modern versions of Microsoft Office. The attackers are using techniques like geo-fencing and cloud storage for command and control. The exploitation chain often involves COM hijacking and scheduled tasks.

Recommendations Apply the latest security updates released by Microsoft for all affected versions of Microsoft Office. For Office 2016 and 2019, apply the available patches or implement the recommended registry-based mitigation if patching is not immediately possible. Restart Office applications after applying updates. Enable Protected View for all documents. Implement zero-trust email filtering. Monitor systems for suspicious activity related to the identified indicators of compromise (IOCs).