Microsoft pushes urgent Office patch for a newly exploited zero-day used in targeted intrusions

🇺🇸United States

TechnologyGovernmentCybersecurityEnterprise Software

Tue, Jan 27, 2026

InsightsWire News2026

Microsoft has issued emergency updates to close a recently discovered Office vulnerability tracked as CVE-2026-21509, following evidence the flaw was being exploited in real-world attacks. The fault lets an attacker circumvent built-in Office defenses related to legacy component handling, enabling unauthorized actions when a specially crafted document is opened. Microsoft’s internal researchers identified both the bug and the in-the-wild activity, but the vendor has withheld granular attack telemetry to avoid amplifying operational details. Exploitation depends on tricking a user into opening a malicious file, and the technical requirements — including likely multi-stage orchestration — point toward selective espionage or other high-value intrusions rather than mass phishing campaigns. Patches are available for multiple supported Office channels, and alternative mitigations were published for environments that cannot apply updates immediately. The U.S. Cybersecurity and Infrastructure Security Agency added this CVE to its Known Exploited Vulnerabilities list and directed federal entities to remediate by February 16, which accelerates timelines for government and critical infrastructure operators. This disclosure arrives amid a broader January patch cycle in which Microsoft addressed over 110 vulnerabilities, reinforcing that vendor-led discovery of active exploits is increasingly common. For defenders, the prioritized actions are straightforward: validate patch deployment across endpoints, layer mitigation controls where updates are delayed, and review telemetry for indicators consistent with staged exploitation. Incident responders should treat successful exploitation as likely targeted, which implies adversaries with tailored tooling and specific objectives. The absence of publicized exploit details forces defenders to rely on behavior-based detection and disrupt common exploitation patterns around component loading and document handling. Organizations that defer updates or lack visibility into Office process behavior face heightened exposure, particularly within sectors that handle sensitive information. In short, this is a high-priority remediation event with targeted risk characteristics, and immediate operational measures will reduce the window of opportunity for adversaries to escalate access or move laterally.

PREMIUM ANALYSIS

Read Our Expert Analysis

Create an account or login for free to unlock our expert analysis and key takeaways for this development.

By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.

Free Access

No Payment Needed

Join Thousands of Readers

Recommended for you

Cybersecurity

Fortinet pushes emergency patches after FortiCloud SSO zero‑day lets attackers cross account boundaries

Fortinet issued emergency fixes after attackers exploited a FortiCloud single‑sign‑on authentication bypass (CVE‑2026‑24858) to access devices across customer accounts; U.S. cyber authorities added the flaw to their Known Exploited Vulnerabilities list and set an urgent remediation date for federal agencies. The incident is part of a wider trend of rapid in‑the‑wild exploitation that compresses the window for defenders to patch and perform operational checks.

Cybersecurity

Langflow: Critical RCE Exploited Within a Day of Patch

Langflow suffered unauthenticated remote code execution that attackers weaponized roughly twenty hours after the fix shipped, enabling credential theft and potential supply-chain staging. Immediate action: rotate secrets, isolate pipelines, and hunt for indicator overlaps across CI/CD and cloud services.

Cybersecurity

CERT-In alerts users to high-risk flaws in Apple Pages/Keynote and Google Chrome; apply patches now

India’s national cybersecurity agency has identified exploitable vulnerabilities in Apple Pages/Keynote and Google’s desktop Chrome that could allow data disclosure or remote code execution. Vendors issued fixes in late January 2026; organisations should prioritise deploying those updates immediately and treat them in the context of a broader trend of vendor emergency patches for document- and API-handling flaws.

Cybersecurity

Microsoft discloses Office defect that let Copilot access private emails

A flaw in Office allowed Microsoft’s Copilot assistant to read and summarize emails that had confidentiality labels applied, creating a multi-week exposure window beginning in January; Microsoft began a phased remediation in early February and administrators can follow progress via message center entry CW1226324. The disclosure arrived alongside other active Office vulnerabilities — notably CVE-2026-21509 and related CISA guidance — heightening the urgency for organizations to patch, audit AI-enabled endpoints and review access to built-in assistants.

Cybersecurity

Google GTIG: Zero‑Day Exploits Shift Toward Enterprise Targets in 2025

Google’s GTIG logged 90 exploited zero‑days in 2025 and a record portion hit enterprise infrastructure; commercial spyware vendors and OS flaws drove much of the shift. Field cases — including a long‑running WinRAR exploit and rapid weaponization of disclosed appliance flaws — illustrate how automation and exploit brokerage compress the timeline from discovery to impact.

Cybersecurity

Google rolls Android updates to fix exploited Qualcomm zero-day

Google issued Android security updates patching roughly 130 vulnerabilities, including an exploited Qualcomm graphics zero-day, CVE-2026-21385 (CVSS 7.8). Organizations must prioritize devices on the 2026-03-01 and 2026-03-05 patch levels to close immediate exposure and treat this as part of a wider cross‑vendor wave of in‑the‑wild fixes (see recent Chrome and document‑parser advisories) that increases urgency for rapid deployment and verification.

Cybersecurity

Dell RecoverPoint Zero-Day Exploited by China-Linked Cyberespionage Group

A China-linked espionage cluster abused a hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines to escalate privileges, move laterally, and deploy bespoke malware; Dell released patch 6.0.3.1 HF1 and vendors published IoCs and behavioral indicators. The incident underscores a broader trend of rapid weaponization of management and recovery tooling, forcing organisations to pair urgent patching with compensating network controls and extended telemetry into virtualization stacks.

Cybersecurity

Cisco firewall zero-day exploited by Interlock, Amazon intel shows

Amazon threat researchers link a critical Cisco firewall flaw, tracked as CVE-2026-20131, to active Interlock ransomware operations and show exploitation began weeks before Cisco’s March patch. Government and vendor telemetry (including CISA advisories and independent vendor reports) broaden the picture: large-scale automated scanning and follow-on exploitation were observed across many appliances, prompting published IoCs and urgent hunt guidance.