Microsoft has launched emergency out-of-band safety updates to patch a high-severity Microsoft Workplace zero-day vulnerability exploited in assaults.
The safety characteristic bypass vulnerability, tracked as CVE-2026-21509, impacts a number of Workplace variations, together with Microsoft Workplace 2016, Microsoft Workplace 2019, Microsoft Workplace LTSC 2021, Microsoft Workplace LTSC 2024, and Microsoft 365 Apps for Enterprise (the corporate’s cloud-based subscription service).
Nonetheless, as famous in at this time’s advisory, safety updates for Microsoft Workplace 2016 and 2019 usually are not but obtainable and will probably be launched as quickly as doable.
Whereas the preview pane will not be an assault vector, unauthenticated native attackers can nonetheless efficiently exploit the vulnerability by means of low-complexity assaults that require consumer interplay.
“Reliance on untrusted inputs in a safety choice in Microsoft Workplace permits an unauthorized attacker to bypass a safety characteristic regionally. An attacker should ship a consumer a malicious Workplace file and persuade them to open it,” Microsoft defined.
“This replace addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Workplace which defend customers from susceptible COM/OLE controls.”
“Clients on Workplace 2021 and later will probably be routinely protected through a service-side change, however will probably be required to restart their Workplace functions for this to take impact,” it added.
Though Workplace 2016 and 2019 aren’t instantly patched towards assaults, Microsoft has supplied complicated mitigation measures that might “scale back the severity of exploitation.”
We’ve tried to clear this up with our directions beneath:
- Shut all Microsoft Workplace functions.
- Create a backup of the Home windows Registry, as incorrectly modifying it might trigger points with the working system.
- Open the Home windows Registry Editor (regedit.exe) by clicking on the Begin menu and typing regedit, after which urgent Enter when it seems within the search outcomes.
- When open, use the tackle bar on the high to see if one of many following Registry keys exists:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility (for 64-bit Workplace, or 32-bit Workplace on 32-bit Home windows) HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility (for 32-bit Workplace on 64-bit Home windows) HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility
If one of many above keys doesn’t exist, create a brand new “COM Compatibility” key below this Registry path by right-clicking on Widespread and choosing New -> Key.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0Common - Now right-click on the prevailing or newly created COM Compatibility key and choose New -> Key and title it {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
- When the brand new {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} is created, right-click on it, choose New -> DWORD (32-bit) Worth. Identify the brand new worth Compatibility Flags.
- When the Compatibility Flags worth is created, double-click on it, be sure the Base possibility is ready to Hexadecimal, and enter 400 within the Worth information subject.
After performing these steps, the flaw will probably be mitigated if you subsequent launch an Workplace software.
Microsoft has not shared who found the vulnerability or any particulars on how it’s exploited, and a spokesperson was not instantly obtainable for remark when contacted by BleepingComputer earlier at this time.
Earlier this month, as a part of the January 2026 Patch Tuesday, Microsoft issued safety updates for 114 flaws, together with one actively exploited and two publicly disclosed zero-day bugs.
The opposite actively exploited zero-day patched this month is an info disclosure flaw within the Desktop Window Supervisor, tagged by Microsoft as “necessary severity,” that may let attackers to learn reminiscence addresses related to the distant ALPC port.
Final week, Microsoft additionally launched a number of out-of-band Home windows updates to repair shutdown and Cloud PC bugs triggered by the January Patch Tuesday updates, in addition to one other set of emergency updates to handle a difficulty inflicting the traditional Outlook electronic mail consumer to freeze or hold.
It is price range season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising developments, and examine their priorities as they head into 2026.
Learn the way high leaders are turning funding into measurable affect.
