Microsoft has published this week off-schedule security updates to correct a high-gravity vulnerability in Microsoft Office that is already being exploited in attacks. The failure, recorded as CVE-2026-21509, affects several editions of Office, including Microsoft 365 Apps for Enterprise and the latest LTSC versions, and forces managers and users to act quickly alike. For the official description of vulnerability, see the Microsoft guide: MSRC - CVE-2026-21509, and for an independent summary of the vulnerability register the tab is available in the NVD: NVD - CVE-2026-21509.
The company defines the failure as a omission of a security measure in Office that allows a local attacker, not authenticated, to avoid protections designed to mitigate risks associated with vulnerable COM / OLE controls. In practice, the observed operating vector requires the attacker to convince the victim to open a malicious Office file; Microsoft points out that the preview panel is not the point of entry, but there have been low-complexity attacks that require user interaction.
Microsoft has already released emergency patches for several editions administered by its cloud service and for recent LTSC versions, but has recognized that No updates yet available for Office 2016 and Office 2019 and will work to publish them as soon as possible. Meanwhile, the company has proposed a mitigation measure based on the Windows Register that can reduce the possibility of exploitation in these environments, although official instructions are confusing for many administrators.
If you work with Office 2016 or 2019 and cannot apply an immediate patch, Microsoft recommends to close all Office applications and back up the Register before any modification - edit the Registry incorrectly can leave the system unstable -; Microsoft explains how to do it in your guide: How to back up and restore Windows Registry. The proposed mitigation is to create or verify the existence of a specific branch under the Common Office key, add the subkey called {EAB22AC3-30C1-11CF-A7EB-00C05BAE0B} within COM Compatibility and, in that subkey, create a DWORD value (32 bits) called Compatibility Flags with data 400. After saving the changes, the protection would come into effect by relaunching any Office application.
Repeat it in simple words: close all Office applications, back up the Register, open the Registry Editor (regedit), navigate to the route corresponding to your installation (the route varies if you have Office of 32 or 64 bits and if it is Click-to-Run), create the COM Compatibility key under Common if it does not exist, add the key to the indicated identifier and within it creates the DWORD Compatibility Flags with the value 400. If you are not comfortable making changes to the Register, you are responsible for waiting for the official patch or for technical assistance.
Microsoft has not published technical details about who discovered vulnerability or the precise way in which it is exploited in nature, and has limited information to prevent the multiplication of opportunistic attacks. This increases the importance of implementing updates as soon as they are available and of taking additional preventive measures: avoiding opening documents from unknown shipments, disabling macros when they are not necessary, and requiring security controls on mail and messaging channels that reach end-users.
The recent context is relevant: in the Patch Tuesday of January 2026 Microsoft remended more than 100 failures, including several days zero assets that were being exploited. In addition, in recent weeks the company has had to publish other patches outside the regular calendar to correct problems arising from these updates, which highlights the dynamic and critical of the current security landscape. To follow the security notes and updates, see the Microsoft update center: Microsoft Security Update Guide.
In short: if your organization uses Microsoft 365 Apps for Enterprise or the LTSC versions that already received the patch, apply the update as soon as possible. If you are dependent on Office 2016 or 2019, back up and, if you decide to apply mitigation through the Register, follow the steps carefully or delegate the task to IT personnel. Whatever your situation, act cautiously to unexpected files and expect additional instructions and patches from Microsoft.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...