CISA Adds Office Zero-Day to Known Exploited Vulnerabilities Catalog
US cybersecurity agency mandates federal agencies patch CVE-2026-21509 by February 16, 2026.
CISA has added CVE-2026-21509 to its Known Exploited Vulnerabilities catalog, giving federal agencies until February 16, 2026 to patch the actively exploited Office zero-day vulnerability.
Mandated Patches
Federal agencies must apply patches or implement mitigations by the deadline. Microsoft recommends users enable Protected View and exercise caution with files from unknown sources until the patch is applied.
Attack Complexity
Security researchers note that exploiting CVE-2026-21509 is complex, requiring either existing system access or sophisticated social engineering to convince a user to open a malicious Office file.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.