Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft Office actively exploited security feature bypass (CVE-2026-21509)

Vulnerability
First reported
Last updated
Happening score
H score 52
2 unique sources, 3 articles

Summary

Hide ▲

CVE-2026-21509 is a 7.8 CVSS Microsoft Office security feature bypass that was actively exploited to bypass OLE mitigations and deliver malicious Office files. APT28 was later attributed to exploitation of the flaw in Ukraine, Slovakia, and Romania as part of Operation Neusploit, using RTF and Word documents to trigger loader chains that delivered MiniDoor email-stealing malware or a Covenant Grunt implant. CERT-UA separately reported abuse of the same flaw against more than 60 email addresses tied to Ukraine's central executive authorities. Microsoft issued out-of-band patches, and CISA added the issue to the KEV catalog with a February 16, 2026 deadline for FCEB agencies.

Related Happenings

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Open Happening

Microsoft Exchange CVE-2026-42897 mitigation advisory

Advisory/Mitigation
First: 15.05.2026 12:40 Last: 15.05.2026 12:40 Sources 1

About this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...

Latest development: 15.05.2026 15:35

Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.

Open Happening

Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw

Vulnerability
First: 14.05.2026 21:53 Last: 14.05.2026 21:53 Sources 1

About this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...

Open Happening

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

Microsoft Windows 365 Office installation disruption

Service Disruption
First: 13.05.2026 14:53 Last: 13.05.2026 14:53 Sources 1

About this happening: The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....

Open Happening

Timeline

  1. 27.01.2026 09:19 4 articles · 4mo ago

    Microsoft deploys out-of-band Office protection

    Mitigation Patch Update

    Microsoft deployed out-of-band protection for CVE-2026-21509 in Microsoft Office, automatically shielding Office 2021 and later through a service-side change and directing Office 2016 and Office 2019 customers to install the listed updates or use the registry-based COM Compatibility mitigation with Compatibility Flags set to 400.

    Show sources
    Open in new tab
  2. 27.01.2026 09:19 1 articles · 4mo ago

    Microsoft discloses active exploitation of CVE-2026-21509

    Initial Disclosure

    CVE-2026-21509 is a 7.8 security feature bypass in Microsoft Office that lets an unauthorized local attacker bypass OLE mitigations by getting a victim to open a specially crafted Office file; Microsoft said the Preview Pane is not an attack vector.

    Show sources
    Open in new tab