CVE-2026-21509 is an actively exploited Microsoft Office security feature bypass vulnerability that allows attackers to deliver specially crafted Office documents that bypass built-in Office protections around unsafe COM/OLE components, potentially enabling follow-on payload delivery once the document is opened.
Public technical analysis and proof-of-concept material are now available, increasing the likelihood that threat actors will incorporate the technique into phishing campaigns targeting enterprise environments.
Affected Products:
- Office 2016
- Office 2019
- Office LTSC 2021
- Office LTSC 2024
- Microsoft 365 Apps for Enterprise.
Technical Overview
CVE-2026-21509 stems from improper handling of untrusted input when Microsoft Office processes certain COM/OLE objects embedded within Office documents. Attackers can abuse this behavior to load the legacy Internet Explorer rendering engine through the Shell.Explorer.1 COM object, bypassing protections that normally restrict dangerous embedded controls.
This technique allows a malicious document to invoke external resources or execute attacker-controlled content after a victim opens the file. Because the exploit bypasses certain security restrictions, it can potentially be used in phishing campaigns that do not rely on traditional macro execution prompts.
Researchers analyzing exploit samples identified the CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}, associated with the Shell.Explorer.1 control, as a key artifact used in malicious documents. The presence of this object within Office attachments may serve as a useful detection indicator, as it rarely appears in legitimate documents.
Microsoft has confirmed that the Preview Pane is not an attack vector, meaning the exploit requires a user to open the malicious file.
Observed Threat Activity
Security researchers observed active exploitation of CVE-2026-21509 shortly after disclosure, with several campaigns targeting government and defense-related organizations in Europe.
Threat intelligence reporting attributes some exploitation attempts to APT28 (Fancy Bear), a state-sponsored threat group historically associated with cyber espionage operations targeting governments, defense organizations, and geopolitical institutions.
Observed campaigns relied on spear-phishing emails delivering malicious RTF or Office documents designed to exploit the vulnerability once opened. After successful exploitation, attack chains typically progressed to additional stages such as:
• Retrieval of remote payloads from attacker-controlled infrastructure
• Deployment of backdoors or loaders for persistent access
• Data collection and credential harvesting
• Establishment of command-and-control communications
In several reported cases, attackers leveraged cloud storage or file-sharing platforms as intermediate staging locations for malicious payloads, making detection more challenging for traditional perimeter security tools.
Recommended Actions
Organizations should take the following actions to remediate the risk from CVE-2026-21509:
- Apply the latest Microsoft security updates for affected Office products immediately.
- Review email security policies and consider blocking or inspecting suspicious RTF and legacy Office document formats originating from external sources.
- Monitoring should be implemented for indicators associated with exploitation attempts, including unusual Office process behavior, unexpected outbound network connections initiated by Office applications, and attachments containing the Shell.Explorer.1 COM object or the CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
- Where possible, organizations should strengthen phishing awareness training and ensure endpoint detection tools are configured to monitor child processes spawned by Microsoft Office applications, which may indicate exploitation activity.
Stay Safe. Stay Secure
OP Innovate Research Team
