- Microsoft has published three out-of-band (OOB) updates so far in January 2026. One of these updates was released to address a vulnerability, CVE-2026-21509, affecting Microsoft Office that has been reportedly exploited in the wild.
- Additional OOB updates have been published to resolve operational issues experienced following installation of the updates released as part of the standard Microsoft Patch Tuesday process.
CVE-2026-21509 was published to address a security feature bypass vulnerability affecting Microsoft Office. This vulnerability was rated as “Important” and received a CVSS 3.1 score of 7.8. This vulnerability is considered “local,” meaning that it must be triggered by an attacker with access to an affected system, or by convincing a victim to open a malicious Office document that triggers the vulnerability. It has also been added to the CISA Known Exploited Vulnerabilities (KEV) list. Microsoft reports that this vulnerability cannot be triggered via the Preview Pane in Microsoft Office. Microsoft has also released mitigation guidance for CVE-2026-21509 as part of this advisory.
In response to these vulnerability disclosures, Talos is releasing a new SNORT® ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65823-65830.
The following Snort3 rules are also available: 301384-301387.
The following ClamAV signature has been released to detect activity associated with this vulnerability:
- Rtf.Exploit.CVE_2026_21509-10059214-0