UPDATED 8:45 GMT, Jan 27. Microsoft has changed the security advisory to say that in fact the vulnerability is NOT publicly disclosed and that credit for the disclosure goes to its own security and product teams.

Microsoft has pushed an emergency out-of-band patch for an actively exploited Microsoft 365 zero day allocated CVE-2026-21509. 

The bug “bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Redmond said.

The preview pane is not an attack vector. Attackers need to persuade users to open a malicious Office file – i.e. this is likely used in phishing attacks. 

The Office zero day is an EOP bug with a CVSS rating of 7.8.

Redmond did not, unusually, credit anyone with disclosing the vulnerability, nor did it disclose any details on the extent of exploitation – but the OOB patch and simultaneous inclusion in CISA’s KEV suggest non-trivial attacks. 

It described the vulnerability as publicly disclosed. The Stack could not immediately identify a legitimate POC but will update if we spot one.

(Signal @Targett.11 or email if you have the POC/IOCs.)

Customers on Office 2021 are protected via a “service-side change”, but will need to restart their Office applications for this to take effect. Customers on Office 2016 and 2019 are not protected – a security update is pending.

Redmond said the latter can mitigate by applying new Windows Registry keys – whilst warning that “serious problems may occur if you modify the registry incorrectly” including issues with the underlying operating system.

IT teams will need/want to create a registry backup first. 

Microsoft’s guidance is hereMultiple versions of Microsoft Office and Microsoft 365 Apps for Enterprise are affected.

Experienced security researcher Haifei Li noted on X that the CLSID [a class identifier used by the Windows Registry to identify COM models] in Microsoft’s mitigation guidance “led me believe this is about an Office file loading the legacy Internet Explorer browser attack vector. We know IE is very outdated and full of weakness and bugs, so it's kinda serious…”

(COM, or Component Object Model, is Microsoft's component software architecture. OLE, or Object Linking and Embedding, is software that is used to dynamically enable multiple files and applications to operate together. Microsoft started renaming OLE technologies ActiveX in 1996, except the compound document technology that was used in Microsoft Office…)

More details to follow. 

The link has been copied!