The National Information Technology Development Agency has issued a new security advisory after identifying a serious zero-day flaw affecting widely used Microsoft Office products. The warning comes at a time when Microsoft has already confirmed that attackers are exploiting the vulnerability, which is tracked as CVE-2026-21509.
NITDA explained that the flaw gives threat actors a way to bypass Object Linking and Embedding protections that normally block malicious components hidden inside Office files. The agency noted that the issue carries a CVSS score of 7.8 and relies on a victim opening a manipulated document for the attack to succeed. Although this still requires user action, the seriousness lies in how quickly the flaw is being used in real-world attacks.
“The vulnerability is categorised as a security feature bypass that allows attackers to circumvent Object Linking and Embedding mitigations designed to protect users from vulnerable COM/OLE controls,” the agency wrote. It added that exploitation needs the victim to open a specially crafted Office file. Crucially, the Preview Pane does not trigger the attack, yet confirmed exploitation means immediate action is essential.
Exploitation Already Underway
The flaw surfaced publicly last month when Microsoft disclosed that its internal teams had spotted attackers using it in active campaigns. Early reports suggested that sophisticated actors moved quickly to take advantage of the weakness. Within days of Microsoft’s emergency patch release, groups linked to Russia, including the state-associated collective known as APT28, were observed deploying the flaw to spread malware and conduct espionage across Europe and other regions.
The vulnerability affects a range of Office versions, including Office 2016, Office 2019, Microsoft 365 Apps, and Office 2021. While the newest versions rely on server-side protections, those safeguards only become active once users restart their applications. Because of this, NITDA emphasised the importance of applying updates immediately.
NITDA urged individuals and organisations to install the out-of-band security updates released for Office 2016 and 2019 as soon as possible. It also reminded users of Office 2021 and later to restart their software so that the new protections take effect. Since the flaw depends on persuading a victim to open a malicious file, the agency encouraged companies to train staff on spotting suspicious attachments. Strong endpoint protection and strict email filtering remain vital for reducing exposure to ongoing attacks.
I am passionate about crafting stories, vibing to good music (and making some too), debating Nigeria’s political future like it’s the World Cup, and finding the perfect quiet spot to work and unwind.
No Comments