CVE-2026-21509

Name of the Vulnerable Software and Affected Versions Microsoft Office versions 2016 through 2019 Microsoft Office LTSC versions 2021 through 2024 Microsoft 365 Apps for Enterprise (affected versions not specified)

Description A security feature bypass exists in Microsoft Office and Microsoft 365 due to the reliance on untrusted inputs when making security decisions. This flaw allows an unauthorized attacker to bypass Object Linking and Embedding (OLE) mitigations and security controls for Component Object Model (COM) objects. An attacker can exploit this by convincing a user to open a specially crafted malicious document, such as an RTF or Word file. The vulnerability can be used to execute arbitrary code and gain unauthorized access to the system. The preview pane is not an attack vector; the file must be fully opened.

This issue has been actively exploited in the wild, notably by the Russia-linked threat actor APT28 (Fancy Bear) in a campaign called Operation Neusploit. The attacks have targeted government, military, maritime, and transportation sectors in Ukraine, Slovakia, Romania, Poland, and other parts of Central and Eastern Europe. Technical details of these attacks include the use of the Shell.Explorer.1 COM object to trigger outbound WebDAV connections, which then deliver multi-stage payloads such as the MiniDoor email stealer, PixyNetLoader, and the Covenant framework. Some attack chains also utilize COM hijacking and scheduled tasks like OneDriveHealth for persistence.

Recommendations For Microsoft Office 2016 and 2019, install the official security updates (e.g., KB5002713 for Office 2016) or apply the registry-based mitigation by adding a DWORD value of 400 to the Compatibility Flags key under the subkey {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} within the COM Compatibility registry node. For Microsoft Office LTSC 2021 and 2024, apply the February 2026 security update or use the registry-based mitigation for the {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} COM object as a temporary measure. For Microsoft 365 Apps for Enterprise, restart the application to activate the service-side fix provided by Microsoft. As a general mitigation, restrict the use of the Shell.Explorer.1 OLE component and maintain strict email filtering to block suspicious attachments.