Microsoft Urgently Releases Patch for High-Risk Office Zero-Day Already Exploited in Live Attacks

Byrobert Krajnyk
urgent microsoft office patch

Microsoft released an emergency patch on January 26, 2026, for CVE-2026-21509, a high-severity zero-day vulnerability actively exploited in Office applications. The flaw affects Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise, requiring users to open malicious files for exploitation. Office 2021 and newer versions receive automatic protection through service-side updates, though restarting applications is necessary. Patches for older versions remain forthcoming, whereas temporary mitigation measures help reduce risk. The urgency emphasizes broader implications revealed in January’s massive security update addressing 114 vulnerabilities.

Microsoft scrambled to release emergency security patches on January 26, 2026, targeting a high-severity zero-day vulnerability in Office applications that attackers are actively exploiting in the wild. The flaw, tracked as CVE-2026-21509, represents a security feature bypass that’s already been weaponised against users—making this one of those rare moments when clicking “update now” actually matters.

This is one of those rare moments when clicking “update now” actually matters—attackers are already exploiting this zero-day in the wild.

The vulnerability affects a surprisingly broad range of Office versions: 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. Yes, really. If you’re running Office in a corporate environment or clinging to that perpetual 2016 licence, you’re in the blast radius.

What makes this particularly concerning is the exploitation status. Unauthenticated local attackers can bypass security features with relatively low complexity, though they do need user interaction to pull it off. The good news? The preview pane isn’t an attack vector, so simply hovering over a malicious file won’t trigger the exploit. The attack vector involves sending a malicious Office file to a target user who must be convinced to open it.

Microsoft’s response was swift but uneven. The emergency out-of-band updates rolled out immediately for some versions, with a clever twist: Office 2021 and later receive automatic protection through a service-side change. You’ll need to restart your Office applications for the protection to kick in—a small price to pay for not becoming an attack statistic.

But here’s the catch: patches for Office 2016 and 2019 aren’t available yet. They’re “forthcoming soon,” which is tech-speak for “we’re working on it.” Microsoft has provided mitigation measures to reduce exploitation severity in the meantime.

This zero-day arrived separately from January’s Patch Tuesday marathon, which itself addressed 114 vulnerabilities including three other zero-days. One of those—CVE-2026-20805, affecting Desktop Window Manager—was likewise actively exploited.

CISA wasted no time adding it to their Known Exploited Vulnerabilities catalogue, with federal agencies facing a February 3, 2026 deadline to patch. The January batch also included nasty remote code execution flaws in Office: CVE-2026-20952 and CVE-2026-20953, both use-after-free vulnerabilities, plus CVE-2026-20955 targeting Excel particularly.

Security experts are urging organisations to treat this with appropriate urgency. Apply the out-of-band updates immediately, restart those Office apps, and monitor for suspicious activity. The Principle of Least Privilege isn’t just security gospel—it’s practical defence against exploits like these.

Prioritise patches for remote code execution and privilege escalation vulnerabilities, as those are the ones attackers love most. Testing updates in staging environments is recommended to avoid potential regressions before deploying broadly across production systems.

The bottom line? Microsoft’s playing defence against live attacks, and your best move is updating before threat actors knock on your digital door. This one’s already in the wild.

Final Thoughts

Microsoft’s emergency patch for a high-risk Office zero-day vulnerability that’s already being exploited in live attacks demonstrates how cyber threats evolve faster than most businesses can respond. Zero-day exploits are no longer theoretical risks—they’re active weapons targeting unpatched systems right now.

Zoo Computer Repairs specializes in proactive cybersecurity management, ensuring your business systems receive critical security updates immediately when they’re released. Our comprehensive IT security services include automated patch management, vulnerability assessments, and rapid response protocols that protect your organization from zero-day exploits before they can cause damage.

Don’t wait for the next security breach to affect your business. Contact us today to learn how Zoo Computer Repairs can implement robust cybersecurity measures and keep your systems protected against emerging threats.

Related posts:

  1. This Widespread Chrome Extension Secretly Records Everything — Remove It Now
  2. Urgent: Why Your Gmail Password Could Be Your Weakest Link Today
  3. Millions Tricked by a Hidden Browser Threat — Learn If You’re Vulnerable Today
  4. Rising Tide of Instagram Password Reset Scams Threatens User Security in 2023

Robert Krajnyk runs and own's several computer repair websites in the greater Brisbane area - along with offering remote support for customers who have just been scammed by viruses online through his website - Virusremovalaustralia.com.au. Robert was one of the youngest employees for IBM in Australia when he was hired at the age of 17 years old and the skills and knowledge he has learnt in this field has carried over into his own business.