Cyber Posture

CVE-2026-21509

HighCISA KEVActive Exploitation

Published: 26 January 2026

Published
26 January 2026
Modified
11 February 2026
KEV Added
26 January 2026
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1253 94.0th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Description

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation of untrusted inputs at defined points, preventing reliance on untrusted data in security decisions as exploited in this Microsoft Office vulnerability.

SI-2 Flaw Remediation good match
prevent

Requires timely patching of known flaws like CVE-2026-21509, directly addressing the security feature bypass via Microsoft's update.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Vulnerability scanning identifies the presence of CVE-2026-21509 in Microsoft Office, enabling remediation before local exploitation.

Security SummaryAI

CVE-2026-21509 is a vulnerability in Microsoft Office arising from reliance on untrusted inputs in a security decision, as defined by CWE-807. Published on 2026-01-26, it enables an unauthorized attacker to bypass a security feature locally. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high severity due to substantial impacts on confidentiality, integrity, and availability.

Exploitation requires local access to the affected system, low attack complexity, and no user privileges, though it demands user interaction. An unauthorized attacker can leverage this to circumvent Microsoft Office security mechanisms, potentially leading to high-level compromise of the local environment.

Microsoft’s Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509. Vicarius offers a detection script and a mitigation script via their blog posts at https://www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-office-security-feature-bypass-vulnerability and https://www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-office-security-feature-bypass-vulnerability, respectively. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509.

Details

CWE(s)
CWE-807
KEV Date Added
26 January 2026

Affected Products

microsoft
365 apps
all versions
microsoft
office
2016, 2019
microsoft
office long term servicing channel
2021, 2024

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
attack.mitre.org →
Why these techniques?

Vulnerability in Microsoft Office enables security feature bypass via local exploitation with user interaction, directly facilitating client-side code execution (T1203) and defense evasion through exploitation (T1211).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References