On January 26, 2026, Microsoft released an out-of-band update to address a high-severity (CVSS score of 7.8) vulnerability affecting multiple Microsoft Office products. This vulnerability, tracked as CVE-2026-21509 , is being actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities ( KEV ) Catalog. The issue stems from the application's "reliance on untrusted inputs when making security decisions", which allows attackers to bypass Object Linking and Embedding (OLE) security mitigations built into Microsoft Office and Microsoft 365. Exploitation requires an attacker to convince a user to open a specially crafted malicious Office file. Affected software includes Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Recommended actions Organizations should identify vulnerable Microsoft Office instances in their environments and apply updates or mitigations as appropriate. Microsoft recommends implementing protections as soon as possible given the active exploitation. Sophos protections The following Sophos protections target attempts to exploit this vulnerability and the execution of payloads after successful application. VDL protection Exp/2621509-A Sophos XGS Firewall 2312172 Endpoint IPS 2312173 2312176 These rules may provide an indication of attack or of users testing known proofs-of-concept. Users running vulnerable versions of the affected software should continue to follow current upgrade and patching advice. Sophos Intercept X also provides broad behavioral mitigation against common exploitation techniques, including techniques relevant to attempted exploitation of this vulnerability. Sophos X-Ops continues to monitor the threat landscape for activity related to this vulnerability and will deliver detection and protection updates to Sophos products as needed. Sophos Counter Threat Unit™ (CTU) researchers are recognized authorities in the cybersecurity field, regularly contributing expert analysis to global media, publishing technical analyses for the security community, and presenting about emerging threats at leading security conferences. Backed by Sophos’ advanced security technologies and a broad network of intelligence contacts and partners, the CTU™ plays a critical role in identifying and tracking threat actors and analyzing anomalous activity, uncovering new attack techniques, threats, and major shifts in the threat landscape.