Tech Insights 28 January 2026 9 min read

Microsoft Office Zero-Day Actively Exploited: Emergency Patch Released (CVE-2026-21509)

Microsoft released an emergency out-of-band patch for CVE-2026-21509, a zero-day vulnerability being actively exploited across all Office versions. The flaw bypasses OLE security mitigations with no macro warning and no enable content prompt. CISA has set a 16 February deadline. Here is what UK businesses need to do now.

MM
Mark McNeece Founder, 365i
Microsoft Office application displaying a security warning banner with a cracked padlock icon, illustrating the actively exploited CVE-2026-21509 zero-day vulnerability
At a Glance 9 min read
  • CVE-2026-21509 is an actively exploited zero-day in all Microsoft Office versions from 2016 to 365, carrying a CVSS score of 7.8.
  • The attack embeds a Shell.Explorer.1 OLE object in Office documents that executes without any macro warning or "enable content" prompt.
  • Microsoft 365 and Office 2021+ received an automatic server-side fix, but users must restart all Office apps for it to take effect.
  • Office 2016 users need to install KB5002713 manually; Office 2019 users need Build 10417.20095 or later.
  • CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, ordering US federal agencies to patch by 16 February 2026.

Microsoft released an emergency out-of-band security patch on 27 January 2026 for a zero-day vulnerability in Microsoft Office that is being actively exploited by attackers. The flaw, tracked as CVE-2026-21509, bypasses security protections designed to block dangerous legacy components from running inside Office documents. Every version of Microsoft Office is affected, from Office 2016 through to Microsoft 365 Apps for Enterprise.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog on the same day, ordering federal agencies to patch by 16 February 2026. As BleepingComputer reported, the flaw carries a CVSS score of 7.8 (High) and requires only that an attacker convinces a user to open a malicious Office file, something that has never been difficult to achieve via email.

For UK businesses relying on Microsoft Office daily (and that includes the vast majority of small and medium-sized enterprises) this is a patch-now situation.

How the Attack Works

CVE-2026-21509 exploits a weakness in how Microsoft Office handles OLE (Object Linking and Embedding) mitigations. These are security controls designed to prevent legacy COM and OLE components (old Windows technology that has been at the heart of document-based attacks for years) from executing inside Office documents.

The vulnerability stems from what Microsoft describes as "reliance on untrusted inputs in a security decision." In practice, an attacker embeds a specially crafted OLE object inside an Office document: a Word file, an Excel spreadsheet, or an Outlook email attachment. When the user opens the file, the embedded object loads Shell.Explorer.1, which is Internet Explorer wrapped inside the document. That embedded browser can load local files, execute scripts, and connect to remote servers.

Critically, no macro warning appears. No "enable content" button is shown. The embedded object simply executes, and the attacker gains access.

Business professional at a desk receiving a suspicious email notification marked Urgent Invoice - Check Attachment on their laptop
The attack requires only that a user opens a malicious Office file, typically delivered via email as a fake invoice or urgent document.

Who Is Affected

The vulnerability affects every currently supported (and recently unsupported) version of Microsoft Office:

  • Microsoft 365 Apps for Enterprise, the subscription version used by most businesses
  • Microsoft Office LTSC 2024, the latest perpetual licence version
  • Microsoft Office LTSC 2021
  • Microsoft Office 2019, reached end of primary support on 14 October 2025
  • Microsoft Office 2016, reached end of extended support on 14 October 2025

Microsoft estimates the affected user base at over 400 million. For UK SMEs specifically, the risk is compounded by two factors. First, many smaller businesses still run Office 2016 or 2019 because the perpetual licence model avoided ongoing subscription costs. Second, those end-of-life versions receive slower patch delivery, and in this case, patches for Office 2016 and 2019 were not immediately available when the advisory was published.

What Microsoft Has Done

Microsoft's response has been split by Office version:

Patch status by Office version (as of 28 January 2026)
Office Version Patch Status Action Required
Microsoft 365 / Office 2021+ Service-side fix deployed Restart all Office applications
Office 2019 Update available (Build 10417.20095) Install update manually
Office 2016 Update available (KB5002713) Install update manually

"Customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect," Microsoft stated in its security advisory.

Microsoft Defender has detections in place to block exploitation attempts, and the default Protected View setting provides an additional layer of defence by sandboxing files downloaded from the internet. However, Protected View only applies if the file was flagged as originating from an external source. Files shared internally or via trusted network drives bypass this protection.

Cybersecurity shield with checkmark icon hovering over a laptop keyboard, representing system patching and protection
Patching immediately is the most effective defence, but businesses on legacy Office versions face a slower path to protection.

Why UK Small Businesses Are Most at Risk

Enterprise organisations with dedicated IT departments and endpoint detection tools will likely deploy this patch within days. Small businesses face a different reality.

The typical UK SME (a plumber, accountant, estate agent, or trades business) runs Microsoft Office on a handful of machines with no centralised patch management. Many are still on Office 2016 or 2019 because upgrading to Microsoft 365 means a recurring cost they have chosen to defer. Those older versions are now end-of-life, meaning Microsoft provides patches at its discretion rather than on a guaranteed schedule.

The attack vector makes this particularly dangerous for small businesses. The exploit arrives as an email attachment: a fake invoice, a quote request, a document from a "supplier." Opening it is enough. No macro needs to be enabled. No additional clicks are required. For a sole trader or small team without security awareness training, this is exactly the kind of threat that succeeds.

This pattern echoes what we reported when covering the Modular DS WordPress vulnerability just two days ago. Critical security flaws disproportionately affect smaller businesses that lack dedicated security resources. The same businesses that might delay patching their WordPress plugins are likely to delay patching their Office installations.

What Your Business Should Do Right Now

Regardless of your Office version, take these steps today:

  1. Restart all Office applications immediately. If you are on Microsoft 365 or Office 2021+, the fix has already been deployed server-side. But it only takes effect when you restart Word, Excel, Outlook, and PowerPoint. Close them all, wait 30 seconds, then reopen. Do this on every machine in your business.
  2. Check for updates on Office 2016/2019. Open any Office application, go to File > Account > Update Options > Update Now. Install any pending updates. If you are on Office 2016, look for KB5002713 specifically.
  3. Do not open unexpected Office attachments. Until you have confirmed the patch is installed, treat any unsolicited Office document with extreme caution. If someone sends an invoice or document you were not expecting, verify with the sender via a separate communication channel before opening.
  4. Check your Windows Defender status. Ensure real-time protection is enabled (Settings > Privacy & Security > Windows Security > Virus & threat protection). Microsoft Defender has detections in place for this specific exploit.
  5. Plan your Office migration. If you are still on Office 2016 or 2019, this incident underscores that end-of-life software is a real business risk. Microsoft 365 Business Basic starts at £4.60/user/month and receives automatic security updates.

Registry Mitigation (Advanced)

If you cannot install the patch immediately, Microsoft provides a registry-based workaround that blocks the vulnerable COM controls. This requires adding a DWORD value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ with the specific COM class ID and setting Compatibility Flags to 0x00000400. The exact registry path varies depending on whether you have 32-bit or 64-bit Office and whether it is a Click-to-Run or MSI installation. Consult Microsoft's advisory for the correct path for your configuration.

A Persistent Pattern of Office Zero-Days

CVE-2026-21509 is not an isolated incident. Microsoft products were targeted by 41 zero-day vulnerabilities in 2025, with 24 of those exploited in the wild before patches were available. The Windows operating system and Office components remain the primary attack surface, and this trend has continued into 2026. On the same day as this advisory, we also reported on the WP Go Maps plugin vulnerability affecting 300,000 WordPress sites, a reminder that security threats extend well beyond Microsoft products.

"Microsoft Defender has detections in place to block exploitation, and our default Protected View setting provides an extra layer of protection by blocking malicious files from the Internet."

- Microsoft Security Advisory, CVE-2026-21509, January 2026

The statement is accurate but incomplete. Protected View only applies to files that Windows has flagged with the Mark of the Web, specifically files downloaded from browsers or received as email attachments from external sources. Documents shared via internal file servers, USB drives, or some cloud sync tools may not carry this flag, and will open without the Protected View sandbox. The threat is compounding: Google's GTIG has since revealed that AI-powered malware now makes live API calls to generate unique payloads, making signature-based detection even less reliable.

For businesses managing their digital security holistically (including website security, regular maintenance, email hygiene, and endpoint protection), incidents like this reinforce that security is not a one-time setup. It requires ongoing attention to patching, user education, and defence-in-depth strategies. 365i Hosting's AI WordPress security guide covers how to build that kind of proactive defence.

"You can only do so much algorithmic research and find so many architectural ingenuities."

- Kevin Platt, Security Analyst, commenting on persistent Office attack surface, January 2026

As we have noted when covering critical WordPress vulnerabilities, the businesses most at risk are those that treat security as an occasional concern rather than an ongoing practice. Whether the vulnerability is in your Office installation or your website's CMS, the principle is the same: patch promptly, stay informed, and have a professional review your security posture regularly.

What to Watch Next

  • Public proof-of-concept. No PoC exploit has been published yet, which suggests limited, targeted exploitation. If a PoC becomes public, expect mass exploitation within days. The window to patch is now.
  • NCSC guidance. The UK's National Cyber Security Centre has not yet published a specific advisory for CVE-2026-21509. UK businesses should monitor NCSC threat reports for any UK-specific guidance.
  • Office 2016/2019 patch timeline. If you are on these versions and updates are not yet appearing, check again within 48 hours. Microsoft is rolling out patches in stages.
  • CISA deadline. US federal agencies must patch by 16 February 2026. While this does not directly apply to UK businesses, it signals the severity. Government agencies rarely get two-week deadlines for anything less than critical.

Frequently Asked Questions

What is CVE-2026-21509?

CVE-2026-21509 is a high-severity security feature bypass vulnerability in Microsoft Office, disclosed on 27 January 2026. It allows attackers to bypass OLE mitigations that protect users from dangerous legacy COM and OLE controls embedded in Office documents. It carries a CVSS score of 7.8 and is being actively exploited in the wild.

Which versions of Microsoft Office are affected?

All current and recently supported versions are affected: Microsoft 365 Apps for Enterprise, Office LTSC 2024, Office LTSC 2021, Office 2019, and Office 2016. This potentially impacts over 400 million users worldwide.

How is the vulnerability being exploited?

Attackers send a malicious Office file, typically via email as a fake invoice or document. When the user opens the file, an embedded OLE object executes without triggering any macro warnings or "enable content" prompts. The object can load local files, run scripts, and connect to remote servers.

How do I know if my Office is patched?

For Microsoft 365 and Office 2021+, the fix was deployed automatically but requires an application restart. Close and reopen all Office apps. For Office 2016, check for KB5002713 via File > Account > Update Options > Update Now. For Office 2019, check you are on Build 10417.20095 or later.

Can I be attacked just by previewing a file?

No. Microsoft has confirmed that the Preview Pane is not an attack vector. The user must actively open the malicious Office file for the exploit to work. However, simply opening the file is sufficient. No additional clicks or permissions are needed.

Is Office 2016 still safe to use?

Office 2016 reached end of extended support on 14 October 2025. Microsoft is providing this emergency patch at its discretion, but there is no guarantee of continued security updates. If you are still running Office 2016, this vulnerability is a strong signal to plan a migration to Microsoft 365 or a supported perpetual licence.

Does Protected View protect against this attack?

Partially. Protected View sandboxes files downloaded from the internet or received as email attachments, blocking the exploit. However, files shared via internal networks, USB drives, or some cloud sync tools may not trigger Protected View. Patching is the only complete defence.

What if I cannot install the patch immediately?

Microsoft provides a registry-based workaround that blocks the vulnerable COM controls. You need to add a specific COM Compatibility key in the Windows registry. You should also ensure Windows Defender real-time protection is enabled and warn all staff not to open unexpected Office attachments.

Is Your Digital Security Up to Date?

If your Office installation is vulnerable, what about your website? Outdated software, unpatched plugins, and missing security headers leave businesses exposed. We help UK businesses maintain secure, high-performing websites with proactive monitoring and management.

Talk to Us About Website Security
Tags:
Microsoft Office Zero Day CVE-2026-21509 Cybersecurity Emergency Patch CISA OLE Bypass Office 365 UK Business Security Endpoint Security
Continue Reading

More Articles

Sean Hamilton: The Full Lockerfella Interview
Web Design 30 Apr 2026

Sean Hamilton: The Full Lockerfella Interview

The unedited post-launch conversation between Mark McNeece and Sean Hamilton about the Lockerfella build. Trust, area pages, AI Discovery Files, prices, and the locksmith version of mission control. The primary source behind the case study.

18 min read Read
He Asked for a Proper Locksmith Website. He Got Mission Control.
Web Design 30 Apr 2026

He Asked for a Proper Locksmith Website. He Got Mission Control.

Sean Hamilton wanted a website that "looked proper". He didn't ask for schema, AI Discovery Files, or 18 unique area pages. He didn't need to. Inside the Lockerfella build, the case study that turned a one-line brief into a 100/100/100/100 PageSpeed locksmith site cited in AI search within ten days of launch.

11 min read Read
Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.
SEO 28 Mar 2026

Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.

Google rolled out its first core update of 2026 yesterday, the third algorithm change in four days. More than half of monitored sites are seeing ranking shifts. The update targets scaled AI content but rewards AI-assisted pages built on original expertise. Here's the five-minute audit that tells you which side of the line your content is on.

9 min read Read