A high-severity vulnerability has been identified in Microsoft Office products that allows an attacker to bypass built-in security features. By tricking a user into opening a specially crafted document, an attacker can execute malicious code on the victim's computer, potentially leading to data theft, malware installation, or a full system compromise. This vulnerability is confirmed to be actively exploited in the wild, posing an immediate and significant risk to the organization.

This vulnerability, classified as "Reliance on Untrusted Inputs in a Security Decision," exists within Microsoft Office's handling of document files. An attacker can create a malicious Office file (e.g., a Word document or Excel spreadsheet) containing manipulated data. When a user opens this file, the Office application improperly trusts this malicious data when deciding whether to enforce a security feature, such as Protected View or macro warnings. This failure allows the attacker's embedded code to bypass these defenses and execute with the same permissions as the logged-in user, requiring no further user interaction beyond opening the file.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation poses a direct threat to business operations and data confidentiality. An attacker could leverage this access to install malware like ransomware or spyware, exfiltrate sensitive corporate data, steal user credentials, or pivot to other systems on the network. Given that Microsoft Office is ubiquitous in corporate environments, the potential attack surface is vast, and a successful compromise could lead to significant financial loss, operational disruption, and reputational damage.

Immediate Action: Apply the security updates released by Microsoft across all affected endpoints immediately. Due to the active exploitation of this vulnerability, patching should be treated as an emergency action. After patching, monitor systems for any signs of post-exploitation activity and review relevant access and application logs for indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor for suspicious activity originating from Microsoft Office applications. This includes looking for Office processes (e.g., WINWORD.EXE, EXCEL.EXE) spawning child processes like powershell.exe or cmd.exe, making unusual network connections to external IP addresses, or modifying system files. Endpoint Detection and Response (EDR) solutions should be configured with rules to detect and alert on such anomalous behavior chains.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Enable Attack Surface Reduction (ASR) rules to block Office applications from creating child processes or injecting code.
• Strengthen email security gateway policies to better detect and block malicious Office documents.
• Ensure macros from internet sources are disabled via Group Policy.
• Conduct user awareness training to reinforce caution against opening unsolicited attachments.

Public Exploit Available: true

Given the high severity rating, the widespread use of the affected software, and its inclusion in the CISA KEV catalog, CVE-2026-21509 represents a critical and immediate threat. We strongly recommend that organizations prioritize the deployment of the vendor-supplied security patches to all affected systems before the CISA KEV deadline of February 15, 2026. This vulnerability should be considered a top priority for remediation to prevent potential system compromise and data breaches.