Microsoft Office Security Feature Bypass Vulnerability
Release Date: 26th of January 2026
Impact : HIGH / CRITICAL
TLP Rating: Clear 
CERT Vanuatu (CERTVU) and the Department of Communication and Digital Transformation (DCDT) provide the following advisory.
This alert is relevant to Organizations and System/Network administrators that utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
CVE-2026-21509 is a high-severity security feature bypass vulnerability in Microsoft Office caused by reliance on untrusted input in security decisions. It allows attackers to bypass built-in protections (e.g., OLE/COM security controls) when a user opens a specially crafted Office document.
What are the Systems affected?
The vulnerability affects multiple Microsoft Office products, including:
- Microsoft Office 2016 and 2019
- Microsoft Office LTSC 2021 and 2024
- Microsoft 365 Apps (Enterprise)
What does this means?
Attackers exploit CVE-2026-21509 by:
- Sending specially crafted malicious Office files via phishing or social engineering.
- Tricking users into opening the document, which bypasses Office security protections.
- Executing unsafe embedded objects or payloads, enabling malware delivery, data access, or further system compromise.
This vulnerability is particularly dangerous because it is actively exploited in the wild
Mitigation process
CERTVU recommend:
- Immediately applying Microsoft’s emergency security updates for all affected Office versions.
- Updating Office to the latest supported version and restarting applications to enable protections.
- Implementing temporary mitigations (e.g., registry or configuration changes) where patches are not yet deployed.
References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cve.org/CVERecord?id=CVE-2026-21509
- Download advisory (English): Microsoft Office Security Feature Bypass Vulnerability