A newly discovered Microsoft Office security flaw is placing millions of users at risk, according to a high-severity warning issued by the National Computer Emergency Response Team (National CERT). The vulnerability, tracked as CVE-2026-21509, is already being exploited in real-world attacks, raising concerns for government offices, businesses, and individual users.
National CERT said attackers can gain control of a system simply by persuading a victim to open a specially crafted Microsoft Office document. In many cases, the attack requires no further interaction. The malicious code executes during document processing or when embedded content loads, often without triggering standard security alerts.
The advisory explained that these attacks are spreading mainly through phishing emails and social engineering campaigns. Threat actors send convincing messages with infected Office attachments, targeting employees in sensitive roles. Executives, finance staff, and legal teams face higher risk because they regularly handle external documents and confidential data.
Once compromised, an attacker gains the same access level as the logged-in user. As a result, hackers can install malware, steal credentials, extract sensitive information, or maintain persistent access to affected systems. Due to the widespread use of Microsoft Office, National CERT warned that the potential impact could be extensive.
The Microsoft Office security flaw affects several supported versions of the software. These include Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Systems with ActiveX controls or embedded content enabled face greater exposure.
Microsoft has confirmed the issue and acknowledged that the vulnerability is being actively exploited. In response, the company has released emergency security updates. It has also provided temporary mitigation measures for organizations that cannot patch immediately.
National CERT urged all users to apply Microsoft’s latest security updates without delay and restart Office applications to activate protections. In addition, it advised IT teams to monitor systems closely for unusual behavior. Warning signs include Office programs launching command-line tools or PowerShell processes unexpectedly.
For environments where updates are delayed, National CERT recommended strengthening email security filters, disabling risky features, and enhancing endpoint monitoring. These steps, it said, can help reduce the risk of large-scale compromise until full patching is completed.
Users and organizations were reminded that prompt action remains the most effective defense against this active threat.