7.8
/ 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Description
* Microsoft has published three out-of-band (OOB) updates so far in January 2026\. One of these updates was released to address a vulnerability, _CVE-2026-21509_, affecting Microsoft Office that has been reportedly exploited in the wild.
* Additional OOB updates have been published to resolve operational issues experienced following installation of the updates _released_ as part of the standard Microsoft Patch Tuesday process.
_CVE-2026-21509_ was published to address a security feature bypass vulnerability affecting Microsoft Office. This vulnerability was rated as "Important" and received a CVSS 3.1 score of 7.8. This vulnerability is considered "local," meaning that it must be triggered by an attacker with access to an affected system, or by convincing a victim to open a malicious Office document that triggers the vulnerability. It has also been added to the _CISA Known Exploited Vulnerabilities (KEV)_ list. Microsoft reports that this vulnerability cannot be triggered via the Preview Pane in Microsoft Office. Microsoft has also released mitigation guidance for CVE-2026-21509 as part of this _advisory_.
In response to these vulnerability disclosures, Talos is releasing a new SNORT® ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on _Snort.org_.
Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65823-65830.
The following Snort3 rules are also available: 301384-301387.
The following ClamAV signature has been released to detect activity associated with this vulnerability:
* Rtf.Exploit.CVE_2026_21509-10059214-0
* Additional OOB updates have been published to resolve operational issues experienced following installation of the updates _released_ as part of the standard Microsoft Patch Tuesday process.
_CVE-2026-21509_ was published to address a security feature bypass vulnerability affecting Microsoft Office. This vulnerability was rated as "Important" and received a CVSS 3.1 score of 7.8. This vulnerability is considered "local," meaning that it must be triggered by an attacker with access to an affected system, or by convincing a victim to open a malicious Office document that triggers the vulnerability. It has also been added to the _CISA Known Exploited Vulnerabilities (KEV)_ list. Microsoft reports that this vulnerability cannot be triggered via the Preview Pane in Microsoft Office. Microsoft has also released mitigation guidance for CVE-2026-21509 as part of this _advisory_.
In response to these vulnerability disclosures, Talos is releasing a new SNORT® ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on _Snort.org_.
Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65823-65830.
The following Snort3 rules are also available: 301384-301387.
The following ClamAV signature has been released to detect activity associated with this vulnerability:
* Rtf.Exploit.CVE_2026_21509-10059214-0
Basic Information
ID
TALOSBLOG:63BC49BAC36831F8325B615088C23392
Published
Jan 29, 2026 at 14:43