Microsoft Office actively exploited security feature bypass (CVE-2026-21509)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-21509 is a 7.8 CVSS Microsoft Office security feature bypass that was actively exploited to bypass OLE mitigations and deliver malicious Office files. APT28 was later attributed to exploitation of the flaw in Ukraine, Slovakia, and Romania as part of Operation Neusploit, using RTF and Word documents to trigger loader chains that delivered MiniDoor email-stealing malware or a Covenant Grunt implant. CERT-UA separately reported abuse of the same flaw against more than 60 email addresses tied to Ukraine's central executive authorities. Microsoft issued out-of-band patches, and CISA added the issue to the KEV catalog with a February 16, 2026 deadline for FCEB agencies.
Related Happenings
Microsoft Office launch disruption after June 2026 Windows updates
Service Disruption
H score0
First: 17.06.2026 14:54
Last: 17.06.2026 14:54
Sources 1
About this happening:
Microsoft is investigating a **Windows update-related disruption** that can stop **third-party applications** from launching **Word, Excel, PowerPoint, Access** or opening documen...
Microsoft Office launch disruption after June 2026 Windows updates
Service DisruptionAbout this happening: Microsoft is investigating a **Windows update-related disruption** that can stop **third-party applications** from launching **Word, Excel, PowerPoint, Access** or opening documen...
Microsoft hit by cyberattack
Incident
H score68
First: 09.06.2026 18:42
Last: 09.06.2026 18:42
Sources 1
About this happening:
A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Microsoft hit by cyberattack
IncidentAbout this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
H score26
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Microsoft Exchange CVE-2026-42897 mitigation advisory
Advisory/Mitigation
H score44
First: 15.05.2026 12:40
Last: 15.05.2026 12:40
Sources 1
About this happening:
**Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...
Microsoft Exchange CVE-2026-42897 mitigation advisory
Advisory/MitigationAbout this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...
Latest development: 15.05.2026 15:35
Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
Vulnerability
H score40
First: 14.05.2026 21:53
Last: 14.05.2026 21:53
Sources 1
About this happening:
**Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
VulnerabilityAbout this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
Timeline
-
27.01.2026 09:19 4 articles · 5mo ago
Microsoft deploys out-of-band Office protection
Mitigation Patch UpdateMicrosoft deployed out-of-band protection for CVE-2026-21509 in Microsoft Office, automatically shielding Office 2021 and later through a service-side change and directing Office 2016 and Office 2019 customers to install the listed updates or use the registry-based COM Compatibility mitigation with Compatibility Flags set to 400.
Show sources
- Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation — thehackernews.com — 27.01.2026 09:19
- Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation — thehackernews.com — 27.01.2026 09:19
- APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks — thehackernews.com — 03.02.2026 11:12
- APT28 hackers deploy customized variant of Covenant open-source tool — www.bleepingcomputer.com — 10.03.2026 12:00
-
27.01.2026 09:19 1 articles · 5mo ago
Microsoft discloses active exploitation of CVE-2026-21509
Initial DisclosureCVE-2026-21509 is a 7.8 security feature bypass in Microsoft Office that lets an unauthorized local attacker bypass OLE mitigations by getting a victim to open a specially crafted Office file; Microsoft said the Preview Pane is not an attack vector.
Show sources
- Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation — thehackernews.com — 27.01.2026 09:19
-
27.01.2026 09:19 1 articles · 5mo ago
CISA sets KEV deadline for CVE-2026-21509
Legal Policy Action UpdateCISA added CVE-2026-21509 to the Known Exploited Vulnerabilities (KEV) catalog and required Federal Civilian Executive Branch agencies to apply the patches by February 16, 2026.
Show sources
- Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation — thehackernews.com — 27.01.2026 09:19