CVE-2026-21509

HighCISA KEVActive Exploitation

Published: 26 January 2026

Published

26 January 2026

Modified

11 February 2026

KEV Added

26 January 2026

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.1253 94.0th percentile

Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21509 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of untrusted inputs at defined points, preventing reliance on untrusted data in security decisions as exploited in this Microsoft Office vulnerability.

SI-2 Flaw Remediation good match

prevent

Requires timely patching of known flaws like CVE-2026-21509, directly addressing the security feature bypass via Microsoft's update.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies the presence of CVE-2026-21509 in Microsoft Office, enabling remediation before local exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

Why these techniques?

Vulnerability in Microsoft Office enables security feature bypass via local exploitation with user interaction, directly facilitating client-side code execution (T1203) and defense evasion through exploitation (T1211).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

Deeper analysisAI

CVE-2026-21509 is a vulnerability in Microsoft Office arising from reliance on untrusted inputs in a security decision, as defined by CWE-807. Published on 2026-01-26, it enables an unauthorized attacker to bypass a security feature locally. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high severity due to substantial impacts on confidentiality, integrity, and availability.

Exploitation requires local access to the affected system, low attack complexity, and no user privileges, though it demands user interaction. An unauthorized attacker can leverage this to circumvent Microsoft Office security mechanisms, potentially leading to high-level compromise of the local environment.

Microsoft’s Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509. Vicarius offers a detection script and a mitigation script via their blog posts at https://www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-office-security-feature-bypass-vulnerability and https://www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-office-security-feature-bypass-vulnerability, respectively. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509.

Details

CWE(s): CWE-807
KEV Date Added: 26 January 2026

Affected Products

microsoft

365 apps

all versions

microsoft

office

2016, 2019

microsoft

office long term servicing channel

2021, 2024

CVEs Like This One

CVE-2026-21514Same product: Microsoft 365 Appsboth on KEV

CVE-2026-26110Same product: Microsoft 365 Apps

CVE-2025-24080Same product: Microsoft 365 Apps

CVE-2025-53740Same product: Microsoft 365 Apps

CVE-2025-62554Same product: Microsoft 365 Apps

CVE-2025-53731Same product: Microsoft 365 Apps

CVE-2026-20952Same product: Microsoft 365 Apps

CVE-2025-49695Same product: Microsoft 365 Apps

CVE-2025-62557Same product: Microsoft 365 Apps

CVE-2025-21345Same product: Microsoft 365 Apps

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-office-security-feature-bypass-vulnerability
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-office-security-feature-bypass-vulnerability
Mitigation, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0