Microsoft Rushes Emergency Patch for Office Zero-Day CVE-2026-21509
Microsoft releases emergency out-of-band update for actively exploited Office vulnerability bypassing security controls.
Microsoft has rushed out an emergency out-of-band patch for CVE-2026-21509, a security vulnerability in multiple versions of Microsoft Office that allows attackers to bypass security controls.
Vulnerability Details
CVE-2026-21509 allows attackers to bypass OLE security mitigations in Microsoft 365 and Office, executing arbitrary code on affected systems. Unlike typical Office vulnerabilities that merely require viewing a malicious file in Preview Pane, successful exploitation of this CVE could fully compromise affected systems.
CISA Alert
The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal executive civilian branch agencies to implement patches or discontinue use of affected products by February 16, 2026.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.