Microsoft Confirms Active Office Zero-Day Exploit, Deploys Emergency Fix

Microsoft just cannot catch a break. After releasing a second emergency update, KB5078127, to address escalating Outlook issues, the company has now pushed another urgent security update to deal with an actively exploited Office vulnerability.

Office zero-day already exploited in the wild

According to Neowin, Microsoft has released an out-of-band security update for a serious Office zero-day flaw already used in real-world attacks. Microsoft tracks the vulnerability as CVE-2026-21509 and classifies it as a security feature bypass issue in Microsoft Office.

The flaw affects several Office versions, including Microsoft Office 2016, Office 2019, Office LTSC 2021 and 2024, and Microsoft 365 Apps for Enterprise. Attackers exploit the issue by supplying untrusted input into a vulnerable security decision process, which allows them to bypass Office’s built-in security protections.

To carry out the attack, threat actors only need to convince a victim to open a malicious Office document. The exploit does not require elevated privileges, which makes phishing and targeted email attacks particularly effective.

Microsoft has already addressed the issue for Microsoft 365 Apps and Office LTSC 2021 and 2024 through a server-side update. Users may need to restart their Office applications to ensure the fix applies correctly. However, older MSI-based versions, such as Office 2016 and Office 2019, have not yet received patches. Microsoft says updates for those versions will arrive as soon as possible.

Because attackers actively exploit this zero-day vulnerability, Microsoft strongly recommends installing available updates immediately and avoiding Office files from untrusted sources. For systems that cannot yet receive a patch, Microsoft has published an official workaround to help reduce the risk of exploitation.

This latest emergency update adds to a growing list of recent issues for Microsoft. Microsoft 365 experienced a service outage recently, and the company also confirmed that it shared BitLocker recovery keys with authorities for the first time as part of an ongoing investigation.