Menu

Emergency Office Update: What Every Customer Needs to Know Now

Last updated:
,,,,,,,,,,

Microsoft has just released an emergency or out-of-band (OOB) security update to fix a serious Microsoft Office zero-day vulnerability or security bug that’s already being used in real-world attacks. Microsoft 365, Office 2024 and Office 2021 are affected, even ‘old’ Office 2019 & 2016 apps are fixed. This patch was not part of the normal Patch Tuesday cycle, which means Microsoft considered the threat serious enough to interrupt its regular update schedule.

The flaw is officially tracked as CVE-2026-21509 and rated high severity with a CVSS score of 7.8/10.

Microsoft has included patches for both Office 2019 and Office 2016 even though both products are past their support dates. That’s a sure sign of the high risk for this security bug

What the vulnerability does

  • The security bug lets an attacker bypass built-in Office security protections by exploiting how Office handles untrusted inputs. Once tricked into opening a malicious file, Office’s defenses can fail to block dangerous embedded objects — typically OLE/COM controls inside documents.
  • A successful exploit could lead to code execution, credential theft, malware installation or other malicious activity — especially if users are tricked into opening specially crafted Office files.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already added this CVE to its Known Exploited Vulnerabilities (KEV) catalog — which raises its priority for remediation, especially in federal environments.

The fact that Microsoft took the rare step of issuing an emergency or out-of-band patch, outside its usual Patch Tuesday routine, shows the active exploitation risk and the urgency for organizations to respond.

Affected products

According to official advisories, the vulnerability affects all Office versions for Windows back to Office 2016:

  • Microsoft 365
  • Office 2024
  • Office 2021
  • Office LTSC 2021
  • Office LTSC 2024

Plus these two ‘end of support’ version of Microsoft Office.

  • Office 2019
  • Office 2016

Get the emergency patch

Microsoft 365, Office 2024 and Office 2021 installs are protected by what Microsoft calls a “service side change”.  They ask customers to restart all Office apps so this change will take effect.  Office Watch suggests also ensuring the Office apps are fully up to date, go to File | Account | Update Options | Update Now.

For Office 2016 and 2019, manual updates must be installed directly. There are download links near the bottom of the Microsoft page.

IT admins should ensure the update is sent to computers, pronto.

About this author

Office-Watch.com

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.
View our latest eBooks!

Office 2024 - all you need to know. Facts & prices for the new Microsoft Office. Do you need it?

Microsoft Office upcoming support end date checklist.