Microsoft on Monday issued out-of-band security patches for a high-severity Microsoft Workplace zero-day vulnerability exploited in assaults.
The vulnerability, tracked as CVE-2026-21509, carries a CVSS rating of seven.8 out of 10.0. It has been described as a security characteristic bypass in Microsoft Workplace.
“Reliance on untrusted inputs in a security choice in Microsoft Workplace permits an unauthorized attacker to bypass a security characteristic domestically,” the tech large mentioned in an advisory.
“This replace addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Workplace, which shield customers from weak COM/OLE controls.”
Profitable exploitation of the flaw depends on an attacker sending a specifically crafted Workplace file and convincing recipients to open it. It additionally famous that the Preview Pane will not be an assault vector.
The Home windows maker mentioned prospects operating Workplace 2021 and later shall be mechanically protected by way of a service-side change, however shall be required to restart their Workplace purposes for this to take impact. For these operating Workplace 2016 and 2019, it is required to put in the next updates –
- Microsoft Workplace 2019 (32-bit version) – 16.0.10417.20095
- Microsoft Workplace 2019 (64-bit version) – 16.0.10417.20095
- Microsoft Workplace 2016 (32-bit version) – 16.0.5539.1001
- Microsoft Workplace 2016 (64-bit version) – 16.0.5539.1001
As mitigation, the corporate is urging that prospects make a Home windows Registry change by following the steps outlined beneath –
- Take a backup of the Registry
- Exit all Microsoft Workplace purposes
- Begin the Registry Editor
- Find the right registry subkey –
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility for 64-bit MSI Workplace or 32-bit MSI Workplace on 32-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit MSI Workplace on 64-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility for 64-bit Click2Run Workplace or 32-bit Click2Run Workplace on 32-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit Click2Run Workplace on 64-bit Home windows
- Add a brand new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and selecting Add Key.
- Inside that subkey, add new worth by right-clicking the brand new subkey and selecting New > DWORD (32-bit) Worth
- Add a REG_DWORD hexadecimal worth referred to as ”Compatibility Flags” with a price of 400
- Exit Registry Editor and begin the Workplace software
Microsoft has not shared any particulars in regards to the nature and the scope of assaults exploiting CVE-2026-21509. It credited the Microsoft Risk Intelligence Middle (MSTIC), Microsoft Safety Response Middle (MSRC), and Workplace Product Group Safety Workforce for locating the problem.
The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) companies to use the patches by February 16, 2026.
