Image: Microsoft
Summary created by Smart Answers AI
In summary:
- PCWorld reports that Microsoft issued emergency updates for a critical zero-day vulnerability (CVE-2026-21509) in Office that attackers exploited against Ukrainian authorities and EU institutions.
- The flaw affects Office 2016, 2019, 2021 LTSC, and 2024 LTSC, allowing attackers to bypass security features and gain remote system control through malicious documents.
- Users must install updates immediately, with newer Office versions receiving automatic updates while older versions require manual updates from Microsoft Update Catalog.
Updated on February 3rd, 2026: New details have come to light regarding how attackers exploit this vulnerability. We’ve added a section explaining it down below.
Microsoft recently published a security advisory warning of a newly discovered zero-day vulnerability in Office applications. The vulnerability, designated CVE-2026-21509, is classified as “high” risk.
According to the advisory, this vulnerability can be exploited to bypass security features in various versions of Office, including Microsoft Office 2016, 2019, 2021 LTSC, and 2024 LTSC. Users are urged to install the emergency updates provided by Microsoft as soon as possible.
Microsoft explains that attackers can abuse this vulnerability to take control of COM/OLE controls, which are used for interaction between different Windows applications.
How does the attack work?
According to new information, attackers have already been able to exploit this vulnerability to carry out targeted attacks on Ukrainian authorities and EU institutions.
One report (machine translated) states that a file named “Consultation_Topics_Ukraine(Final).doc” containing an exploit for this vulnerability was discovered as early as January 29th, 2026, and was created the day after Microsoft disclosed the vulnerability.
Opening the document establishes a network connection to an external resource using the WebDAV protocol. This is followed by the downloading of a file named “Shortcut,” which contains program code. The attackers could use this executable file to terminate and start processes on the target system. Ultimately, if successful, they would have been able to remotely control the system.
In addition to this file, three more documents with a similar exploit were discovered in January 2026, which were distributed via email.
Where to get the emergency updates
If you’re using a current version of Office (2021 LTSC or newer), you’ll receive the relevant security updates automatically. To be on the safe side, you may want to restart the installed applications. The build number of the updated Office version is 16.0.10417.20095.
Older versions of Office must be updated manually. You can obtain the necessary updates from the Microsoft Update Catalog. Here are the links for the Office 2016 update and Office 2019 update.
If you’re unable to update your Office for whatever reason, Microsoft offers an alternative (but more advanced) solution that involves editing the Windows Registry. You can find it under the “Mitigations” section on the security advisory warning for this vulnerability.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
Author: Laura Pippig, Staff Writer, PC-WELT
Laura is an enthusiastic gamer as well as a movie and TV fan. After studying communication science, she went straight into a job at PCMagazin and Connect Living. Since then, she has been writing about everything to do with PCs and technology topics, and has been a permanent editor at our German sister site PC-WELT since May 2024.
