Microsoft has released emergency out-of-band security updates to address a zero-day vulnerability (CVE-2026-21509) in Microsoft Office that is actively exploited, allowing attackers to bypass built-in security protections when users open malicious Office files.

Affected Systems:

• Microsoft Office 2016, 2019

• Microsoft Office LTSC 2021, 2024

• Microsoft 365 Apps for Enterprise

Security Risks

Successful exploitation allows attackers to bypass Office security protections locally, potentially enabling execution of malicious actions, unauthorized access to sensitive information, or further compromise of the system.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and administrators:

• Apply Microsoft’s emergency security updates immediately for all supported Office versions.

• Restart Microsoft Office applications on Office 2021 and later to activate Microsoft’s built-in protection.

• If using Office 2016 or 2019 and updates cannot be installed immediately, apply Microsoft’s published mitigation guidance from the Security Update Guide.

• Avoid opening Office files from unknown or untrusted sources to prevent exploitation via social engineering.

• Ensure a current and tested backup of critical data is available prior to applying updates or mitigations.

For further information and support, please contact the National Cyber Security Authority (NCSA) by emailing rwcsirt@ncsa.gov.rw or calling us on 9009.

References

• msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

• Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

• Microsoft patches actively exploited Office zero-day vulnerability