A new high-severity zero-day vulnerability in Microsoft Office has been exploited in the wild, according to Microsoft.
The tech giant released a patch in a January 26 advisory for the flaw which has been summarized as an over-reliance on untrusted inputs in a security decision in Microsoft Office that can allow an unauthorized attacker to bypass a security feature locally.
The flaw enables an attacker to bypass object linking and embedding (OLE) mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable component object model (COM) and OLE controls.
To achieve a successful exploit, the attacker must send a user a malicious Office file and convince them to open it, said Microsoft in the advisory.
The flaw was discovered by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC) and the Office Product Group Security Team.
It was reported on January 26 by Microsoft, was allocated the CVE-2026-21509 tracking number and was ranked as high-severity, with a CVSS 3.1 score of 7.8.
It affects several versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024 and Microsoft 365 Apps for Enterprise.
Microsoft confirmed that it detected evidence of exploitation in the wild and urged customers running Microsoft Office 2016 and 2019 to ensure the update is installed to be protected.
Customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.