Microsoft released an emergency patch for CVE-2026-21509, a zero-day vulnerability in Office and Microsoft 365 that attackers are actively exploiting. The bug allows hackers to bypass security controls and execute malicious code by tricking users into opening infected Office files.
CISA added the vulnerability to its known exploited list, giving federal agencies until February 16 to patch or stop using affected products. Security experts believe this is likely a tool for advanced persistent threats, possibly state-sponsored groups targeting high-value victims through social engineering.
Office 2021 users just need to restart their apps for automatic protection, while Office 2016 and 2019 users must install manual updates.
Source: Dark Reading