{"id":23875,"date":"2026-03-05T11:00:19","date_gmt":"2026-03-05T04:00:19","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23875"},"modified":"2026-03-23T11:19:45","modified_gmt":"2026-03-23T04:19:45","slug":"microsoft-office-zero-day-vulnerability-actively-exploited-in-the-wild","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/microsoft-office-zero-day-vulnerability-actively-exploited-in-the-wild\/","title":{"rendered":"Microsoft Office zero-day vulnerability actively exploited in the wild"},"content":{"rendered":"<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/03\/ad45b31a-937b-4b55-bd96-22a01bd555fb-Nho-1772107919-1774239268.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23876\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/03\/ad45b31a-937b-4b55-bd96-22a01bd555fb-Nho-1772107919-1774239268.png\" alt=\"Ad45b31a 937b 4b55 Bd96 22a01bd555fb Nho 1772107919 1774239268\" width=\"300\" height=\"169\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">Microsoft has recently released an emergency security patch addressing a newly discovered zero-day vulnerability in Microsoft Office, which is actively being exploited in the wild.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Details<\/b><\/span><\/h2>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><i><span style=\"font-weight: 400\">Vulnerability ID:<\/span><\/i> <span style=\"color: #ff6600\"><a style=\"color: #ff6600\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-21509\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400\">CVE-2026-21509<\/span><\/a><\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><i><span style=\"font-weight: 400\">CVSS(3.1) Score:<\/span><\/i> <b>7.8<\/b><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><i><span style=\"font-weight: 400\">Severity:<\/span><\/i> <b>CRITICAL<\/b><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">This zero-day vulnerability is currently under active exploitation by threat actors. The root cause lies in Microsoft Office\u2019s improper reliance on untrusted input when making security-related processing decisions. An unauthorized attacker can manipulate this input data flow to bypass Microsoft Office\u2019s COM\/OLE security filtering mechanisms, thereby creating an entry point for system compromise and enabling post-exploitation activities. Successful exploitation requires user interaction. Specifically, the attacker must convince the victim to open a malicious Office document containing the exploit code. Additionally, the target must be using a version of Microsoft Office that is affected by this vulnerability.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><i><span style=\"font-weight: 400\">Affected versions:<\/span><\/i><span style=\"font-weight: 400\"> Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for enterprise.<\/span><\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Component Object Model (COM)<\/b><span style=\"font-weight: 400\"> is a platform that enables software components to communicate and interoperate. It essentially modularizes applications into components, allowing other programs to invoke and utilize their functionalities.<\/span><\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Object Linking and Embedding (OLE)<\/b><span style=\"font-weight: 400\">, built on top of COM, enables content from one application to be embedded and linked within another application.<\/span><\/span><\/p>\n<p><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">Under normal conditions, Microsoft Office implements security controls to block unsafe COM and OLE components, commonly embedded in documents to execute malicious code. However, CVE-2026-21509 allows attackers to fully bypass these protections, enabling unauthorized code execution on the victim\u2019s machine without detection or prevention.<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><span style=\"font-weight: 400\">\u200b\u200bTo illustrate how these components function within the Microsoft Office ecosystem: when a user exports a report from an accounting system, the application may use <\/span><b>COM<\/b><span style=\"font-weight: 400\"> to trigger Excel to launch and populate data automatically. Similarly, when a user embeds an Excel spreadsheet or PowerPoint slide into a Word document, <\/span><b>OLE<\/b><span style=\"font-weight: 400\"> enables seamless interaction, allowing the embedded application (e.g., Excel) to open for editing and synchronize changes in real time.<\/span><\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><span style=\"font-weight: 400\">In an exploitation scenario, attackers leverage <\/span><b>COM<\/b><span style=\"font-weight: 400\"> as a remote execution mechanism to force the system to download and run malicious payloads. At the same time, <\/span><b>OLE<\/b><span style=\"font-weight: 400\"> is used to disguise the payload as embedded content, such as a spreadsheet within a document. Instead of opening Excel for editing, user interaction directly executes the malicious code, effectively bypassing standard security warnings and controls.<\/span><\/span><\/p>\n<h3><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Recommendations &amp; mitigation<\/b><\/span><\/h3>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>FPT Threat Intelligence<\/b><span style=\"font-weight: 400\"> strongly recommends that users and system administrators immediately update Microsoft Office to the latest version to mitigate the risk of exploitation. Additionally, users should exercise caution when handling email attachments from unknown or untrusted sources. Under no circumstances should such files be opened without verification, as they may contain malicious payloads exploiting CVE-2026-21509.<\/span><\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Office version<\/b><\/span><\/td>\n<td><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Update status<\/b><\/span><\/td>\n<td><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Actions to be taken<\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Business<\/span><\/td>\n<td><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">A patch is available<\/span><\/td>\n<td><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">Enable automatic updates in Microsoft Office. The software will automatically update and apply patches.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">Office 2016 and Office 2019<\/span><\/td>\n<td><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">There is no patch available yet.<\/span><\/td>\n<td><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">Risk mitigation measures should be implemented through the registry as instructed below.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Instructions on how to mitigate the risk of exploitation for systems using Office 2016 and Office 2019:<\/b><\/span><\/p>\n<p><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">Before beginning, users and administrators need to back up the system&#8217;s Registry:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Step 1: Close <\/b><span style=\"font-weight: 400\">all Microsoft Office applications.<\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Step 2: <\/b><span style=\"font-weight: 400\">Open<\/span><b> Registry Editor.<\/b><span style=\"font-weight: 400\"> Find the Registry key that matches your Office version:<\/span><\/span>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><span style=\"font-weight: 400\">64-bit version (or 32-bit on Windows 32-bit): <\/span><span style=\"font-weight: 400;color: #ff99cc\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\16.0\\Common\\COM Compatibility\\<\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><span style=\"font-weight: 400\">32-bit version on Windows 64-bit: <\/span><span style=\"font-weight: 400;color: #ff99cc\">HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Office\\16.0\\Common\\COM Compatibility\\<\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><span style=\"font-weight: 400\">ClickToRun 64-bit version: <\/span><span style=\"font-weight: 400;color: #ff99cc\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Office\\16.0\\Common\\COM Compatibility\\<\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><span style=\"font-weight: 400\">ClickToRun 32-bit version on Windows 64-bit: <\/span><span style=\"font-weight: 400;color: #ff99cc\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Office\\16.0\\Common\\COM Compatibility\\<\/span> <i><span style=\"font-weight: 400\">(Note: If you don&#8217;t see the *<\/span><\/i><b><i>COM Compatibility*<\/i><\/b><i><span style=\"font-weight: 400\"> entry, right-click on *<\/span><\/i><b><i>Common<\/i><\/b><i><span style=\"font-weight: 400\">* and select <\/span><\/i><b><i>New &gt; Key<\/i><\/b><i><span style=\"font-weight: 400\"> to create a new one.)<\/span><\/i><\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Step 3: <\/b><span style=\"font-weight: 400\">Create a new<\/span><b> Subkey <\/b><span style=\"font-weight: 400\">named <\/span><span style=\"font-weight: 400;color: #ff99cc\">{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}<\/span><span style=\"font-weight: 400\"> (<\/span><i><span style=\"font-weight: 400\">right-click on<\/span><\/i> <b>COM Compatibility &gt; New &gt; Key<\/b><span style=\"font-weight: 400\">).<\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Step 4: <\/b><span style=\"font-weight: 400\">In the newly created Subkey, create a new value. (<\/span><i><span style=\"font-weight: 400\">right-click <\/span><\/i><span style=\"font-weight: 400\">\u00a0&gt; <\/span><b>New &gt; DWORD (32-bit) Value<\/b><span style=\"font-weight: 400\">).<\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Step 5:<\/b><span style=\"font-weight: 400\"> Name the value as <\/span><span style=\"font-weight: 400;color: #ff99cc\">Compatibility Flags<\/span><span style=\"font-weight: 400\"> and set the Value data to <\/span><span style=\"font-weight: 400;color: #ff99cc\">400<\/span><span style=\"font-weight: 400\"> (Hexadecimal).<\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Step 6:<\/b><span style=\"font-weight: 400\"> Close Registry Editor and restart the Office application.<\/span><\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/03\/46e5b3ff-e97e-409e-bc1b-98d25ae8946a-1772107764-1774239315.webp\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23877\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/03\/46e5b3ff-e97e-409e-bc1b-98d25ae8946a-1772107764-1774239315.webp\" alt=\"46e5b3ff E97e 409e Bc1b 98d25ae8946a 1772107764 1774239315\" width=\"1050\" height=\"599\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/03\/46e5b3ff-e97e-409e-bc1b-98d25ae8946a-1772107764-1774239315.webp 1050w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/03\/46e5b3ff-e97e-409e-bc1b-98d25ae8946a-1772107764-1774239315-700x399.webp 700w\" sizes=\"(max-width: 1050px) 100vw, 1050px\" \/><\/a><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><i><span style=\"font-weight: 400\">Here&#8217;s an example using the 64-bit version of Office 2016:<\/span><\/i><\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><span style=\"font-weight: 400\">The full path after setup: <\/span><span style=\"font-weight: 400;color: #ff99cc\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\16.0\\Common\\COM Compatibility\\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}<\/span><\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><span style=\"font-weight: 400\">REG_DWORD named <\/span><span style=\"font-weight: 400;color: #ff99cc\">Compatibility Flags<\/span><span style=\"font-weight: 400\"> with a value of <\/span><span style=\"font-weight: 400;color: #ff99cc\">0x00000400<\/span><\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Reference<\/b><\/span><\/h2>\n<ol>\n<li style=\"font-weight: 400\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-21509\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400\">CVE-2026-21509<\/span><\/a><\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;font-size: 12pt;font-family: arial, helvetica, sans-serif\">\u00a0<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b>Exclusive article by an expert from FPT IS, FPT Corporation<\/b><\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><b><i>Nam Anh Mai Duc &#8211; FPT Information Security Center<\/i><\/b><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"author":21,"featured_media":23878,"parent":0,"template":"","nang_luc":[821],"danh_muc_goc_nhin_so":[],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23875","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23878"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23875"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23875"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23875"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23875"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23875"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23875"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23875"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}