CVE-2026-21509

Name of the Vulnerable Software and Affected Versions Microsoft Office versions 2016 through 2019 Microsoft Office LTSC versions 2021 through 2024 Microsoft 365 Apps (affected versions not specified)

Description A security feature bypass exists in Microsoft Office and Microsoft 365 due to the reliance on untrusted inputs when making security decisions. This flaw allows an unauthorized attacker to bypass Object Linking and Embedding (OLE) mitigations, which are designed to protect users from vulnerable Component Object Model (COM) controls. An attacker can exploit this by tricking a user into opening a specially crafted Office document, such as a Rich Text Format (RTF) file. The preview pane is not an attack vector; the file must be fully opened to trigger the issue.

This issue has been actively exploited in the wild, notably by the Russia-linked threat actor APT28 (also known as Fancy Bear or UAC-0001) in a campaign called Operation Neusploit. The attacks have primarily targeted government, military, maritime, and transportation sectors in Ukraine, Slovakia, Romania, Poland, and other parts of Central and Eastern Europe. Technical details indicate the use of the Shell.Explorer.1 COM object to bypass security and initiate multi-stage infection chains. These chains have been used to deploy various malware, including the MiniDoor email stealer, PixyNetLoader, and the Covenant framework (specifically the Grunt implant), often utilizing WebDAV for payload retrieval and COM hijacking for persistence.

Recommendations For Microsoft Office versions 2016 through 2019, apply the official security updates (e.g., KB5002713 for Office 2016) or manually apply the registry-based mitigation by adding a Compatibility Flags DWORD value of 400 to the subkey {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} under the COM Compatibility node. For Microsoft Office LTSC versions 2021 through 2024, install the February 2026 security update or apply the registry-based mitigation for the {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} COM object. For Microsoft 365 Apps, apply the latest security updates and restart all Office applications to ensure the service-side fix is activated. As a temporary mitigation, restrict the use of the Shell.Explorer.1 OLE component and disable macros by default.