All articles tagged with #cve 2026 21509
Within 48 hours of Microsoft issuing an urgent Office patch for CVE-2026-21509, the Russian-state group APT28 launched a fast, in-memory, fileless campaign that installed new backdoors (BeardShell and NotDoor) via staged spear-phishing across nine countries, targeting defense ministries, transportation operators, and diplomatic entities, with command-and-control hosted on legitimate cloud services to evade detection.
Russia-linked APT28 is exploiting CVE-2026-21509 in Microsoft Office as part of Operation Neusploit, delivering two droppers through malicious RTFs: MiniDoor, an Outlook email stealer, and PixyNetLoader, which loads Covenant Grunt via a steganography-delivered shellcode loader; attacks target Ukraine, Slovakia, and Romania with region- and UA-based checks, and show overlaps with earlier Phantom Net Voxel activity.
Russian-linked APT28 is exploiting a patched Microsoft Office zero-day (CVE-2026-21509) to attack Ukraine and EU government targets, deploying malicious Word documents that trigger a WebDAV download chain and COM hijacking to load Covenant via EhStoreShell.dll and a hidden image payload, with C2 through Filen cloud storage. The campaign, which impersonated entities like Ukraine's Hydrometeorological Center and EU COREPER, appears broader than Ukraine. Patch all affected Office versions promptly and restart apps after updates; if patching isn't possible, apply registry mitigations; Defender's Protected View provides additional defense against Internet-origin Office files.
Microsoft issued an out-of-band fix for a high-severity Office zero-day (CVE-2026-21509) that enables a local security feature bypass when users open a specially crafted Office file; exploitation requires user interaction, and the Preview Pane is not a vector. Office 2021+ patches will apply automatically with a service-side change but require restarting Office apps, while Office 2016/2019 users must install specific updates. A registry workaround is provided as mitigation. The flaw has been added to the CISA Known Exploited Vulnerabilities catalog, with federal agencies required to patch by February 16, 2026. Credit goes to MSTIC, MSRC, and the Office security team.
Microsoft issued emergency out-of-band security updates to fix a high-severity Office zero-day (CVE-2026-21509) being actively exploited. The flaw affects multiple Office versions, including 2016, 2019, LTSC 2021/2024, and Microsoft 365 Apps for Enterprise, with patches for 2016/2019 not yet available. Exploitation requires user interaction via a malicious Office file, bypassing OLE mitigations. Office 2021+ will be protected via a service-side change (restart required). For older Office versions, Microsoft provides mitigations, including registry changes, to reduce exploitation risk. Additional related fixes were noted from January 2026 Patch Tuesday.