Microsoft has issued an out of band emergency patch addressing an actively exploited Microsoft Office zero day vulnerability, tracked as CVE202621509. The flaw is a security feature bypass that allows attackers to circumvent core COM/OLE-based mitigations in Microsoft 365 and Microsoft Office. 

 
The vulnerability is currently being exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, increasing urgency for remediation. 

Vulnerability Details - 

CVE202621509 

• Type: Security Feature Bypass 

• Severity: CVSS 7.8 (High) 

• Affected Products:  

• Microsoft Office 2016 

• Microsoft Office 2019 

• Microsoft Office 2021 

• Microsoft 365 Apps 

Root Cause -  

• Microsoft identifies the issue as “reliance on untrusted inputs in a security decision,” allowing attackers to bypass OLE protections. 

Attack Vector - 

• Threat actors must send a specially crafted Office file. 

• Attack success depends on user interaction — the recipient must be convinced to open the file. 

• Preview Pane is not a vector, reducing risk via passive exposure. 

Exploitation in the wild - 

Microsoft acknowledges that the vulnerability is being actively exploited, though details on campaign scope, threat actor attribution, or TTPs remain undisclosed. The issue was discovered internally by MSTIC, MSRC, and the Office Product Group Security Team 

Impact - 

Potential Impacts 

• Bypass of OLE security controls 

• Execution of malicious COM/OLE components 

• Delivery of secondary payloads 

• Credential compromise through malicious document workflows 

• Increased exposure across enterprise environments where Office macros and embedded components are common 

Enterprise Exposure 

Organizations remain at elevated risk if: 

• Users frequently receive external Office files 

• Legacy Office deployments (2016/2019) are still active 

• Document workflows rely on embedded OLE or COM-based automation 

Mitigation and Patches  - 

Microsoft has pushed emergency updates for: 

• Office 2019  

• 32bit: 16.0.10417.20095 

• 64bit: 16.0.10417.20095 

• Office 2016  

• 32bit: 16.0.5539.1001 

• 64bit: 16.0.5539.1001 

Automatic Protection 

• Office 2021 and later users are protected via a service-side change but must restart their Office applications for the protection to activate. 

Recommendations - 

Immediate Action 

• Deploy the emergency patches to all Office installations (2016/2019 priority). 

• Enforce restart of Office applications for 2021/Microsoft 365 users. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.