Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft Office actively exploited security feature bypass (CVE-2026-21509)

Vulnerability
First reported
Last updated
Happening score
H score 18
2 unique sources, 3 articles

Summary

Hide ▲

CVE-2026-21509 is a 7.8 CVSS Microsoft Office security feature bypass that was actively exploited to bypass OLE mitigations and deliver malicious Office files. APT28 was later attributed to exploitation of the flaw in Ukraine, Slovakia, and Romania as part of Operation Neusploit, using RTF and Word documents to trigger loader chains that delivered MiniDoor email-stealing malware or a Covenant Grunt implant. CERT-UA separately reported abuse of the same flaw against more than 60 email addresses tied to Ukraine's central executive authorities. Microsoft issued out-of-band patches, and CISA added the issue to the KEV catalog with a February 16, 2026 deadline for FCEB agencies.

Related Happenings

Microsoft Office launch disruption after June 2026 Windows updates

Service Disruption
H score0 First: 17.06.2026 14:54 Last: 17.06.2026 14:54 Sources 1

About this happening: Microsoft is investigating a **Windows update-related disruption** that can stop **third-party applications** from launching **Word, Excel, PowerPoint, Access** or opening documen...

Microsoft hit by cyberattack

Incident
H score68 First: 09.06.2026 18:42 Last: 09.06.2026 18:42 Sources 1

About this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
H score26 First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Microsoft Exchange CVE-2026-42897 mitigation advisory

Advisory/Mitigation
H score44 First: 15.05.2026 12:40 Last: 15.05.2026 12:40 Sources 1

About this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...

Latest development: 15.05.2026 15:35

Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.

Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw

Vulnerability
H score40 First: 14.05.2026 21:53 Last: 14.05.2026 21:53 Sources 1

About this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...

Timeline

  1. 27.01.2026 09:19 4 articles · 5mo ago

    Microsoft deploys out-of-band Office protection

    Mitigation Patch Update

    Microsoft deployed out-of-band protection for CVE-2026-21509 in Microsoft Office, automatically shielding Office 2021 and later through a service-side change and directing Office 2016 and Office 2019 customers to install the listed updates or use the registry-based COM Compatibility mitigation with Compatibility Flags set to 400.

    Show sources
  2. 27.01.2026 09:19 1 articles · 5mo ago

    Microsoft discloses active exploitation of CVE-2026-21509

    Initial Disclosure

    CVE-2026-21509 is a 7.8 security feature bypass in Microsoft Office that lets an unauthorized local attacker bypass OLE mitigations by getting a victim to open a specially crafted Office file; Microsoft said the Preview Pane is not an attack vector.

    Show sources