Cyber Resilience

CVE-2026-21509

HighCISA KEVActive ExploitationEUVD ExploitedUpdated

Published: 26 January 2026

Published
26 January 2026
Modified
25 June 2026
KEV Added
26 January 2026
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7215 99.4th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-21509 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21509 is a vulnerability in Microsoft Office arising from reliance on untrusted inputs in a security decision, as defined by CWE-807. Published on 2026-01-26, it enables an unauthorized attacker to bypass a security feature locally. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high severity due to substantial impacts on confidentiality, integrity, and availability.

Exploitation requires local access to the affected system, low attack complexity, and no user privileges, though it demands user interaction. An unauthorized attacker can leverage this to circumvent Microsoft Office security mechanisms, potentially leading to high-level compromise of the local environment.

Microsoft’s Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509. Vicarius offers a detection script and a mitigation script via their blog posts at https://www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-office-security-feature-bypass-vulnerability and https://www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-office-security-feature-bypass-vulnerability, respectively. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

CWE(s)
KEV Date Added
26 January 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

Vulnerability in Microsoft Office enables security feature bypass via local exploitation with user interaction, directly facilitating client-side code execution (T1203) and defense evasion through exploitation (T1211).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21514Same product: Microsoft 365 Appsboth on KEV
CVE-2026-40358Same product: Microsoft 365 Apps
CVE-2026-20952Same product: Microsoft 365 Apps
CVE-2025-53731Same product: Microsoft 365 Apps
CVE-2025-53740Same product: Microsoft 365 Apps
CVE-2025-24080Same product: Microsoft 365 Apps
CVE-2026-20953Same product: Microsoft 365 Apps
CVE-2025-21392Same product: Microsoft 365 Apps
CVE-2025-21345Same product: Microsoft 365 Apps
CVE-2025-21356Same product: Microsoft 365 Apps

Affected Assets

microsoft
365 apps
all versions
microsoft
office
2016, 2019
microsoft
office long term servicing channel
2021, 2024

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of untrusted inputs at defined points, preventing reliance on untrusted data in security decisions as exploited in this Microsoft Office vulnerability.

prevent

Requires timely patching of known flaws like CVE-2026-21509, directly addressing the security feature bypass via Microsoft's update.

detect

Vulnerability scanning identifies the presence of CVE-2026-21509 in Microsoft Office, enabling remediation before local exploitation.

References