Microsoft Word Zero-Day Vulnerability Actively Exploited Before Patch Was Released

Opening a Word Doc Became a Security Risk — Again

No macros. No “Enable Content” prompt. No warning of any kind. That’s what makes CVE-2026-21514 worth paying attention to right now.

What Happened?

On February 10, 2026, Microsoft disclosed a zero-day vulnerability in Microsoft Word — tracked as CVE-2026-21514 — during its February Patch Tuesday release. The timing matters: by the time Microsoft went public, the flaw had already been confirmed as actively exploited in real-world attacks.

The vulnerability sits inside how Word processes OLE (Object Linking and Embedding) controls. OLE lets documents interact with external objects — spreadsheets embedded in reports, charts pulled from other files, that kind of thing. Microsoft built protections around this. CVE-2026-21514 bypasses those protections by feeding untrusted inputs into Word’s own security checks (CWE-807, for the technically minded). The security gate gets fooled into waving the threat through.

No privilege escalation needed. No admin access. The only thing required is that a victim opens the file.

The CVSS v3.1 base score is 7.8 — classified as “Important.” Google’s Threat Intelligence Group and Microsoft’s internal security team both worked the case. The exploit code is functional and confirmed in live attacks, not just a proof of concept sitting in a lab.

Affected versions include Microsoft 365 Apps for Enterprise (32-bit and 64-bit), Office LTSC 2021, Office LTSC 2024, and the Mac equivalents for 2021 and 2024.

What’s the Impact?

The silent execution is what separates this from a standard phishing risk. Normally, a malicious Office document trips a “Protected View” warning or an “Enable Content” prompt — giving a careful user a chance to stop. This one skips all of that. The file opens clean. The exploit runs in the background.

Attackers deliver the document through phishing emails, which requires nothing sophisticated on their end. A convincing subject line and a plausible filename is all it takes. Security researchers noted that high-value targets — executives, finance teams, legal departments — are the most likely focus of early attacks.

Once it fires, the consequences cover the full spectrum: data theft, file modification, system crashes. CISA didn’t wait around on this one — federal agencies were ordered to patch by March 3, 2026, reflecting how serious the exposure is.

How to Avoid This

The fix exists. The only question is whether your organization has applied it yet.

• Windows: Update through Microsoft Update or your admin center. The patch shipped via Click-to-Run.
• Mac: Update to Office version 16.106.26020821 or later.
• Enterprise environments: Push via WSUS or Intune and confirm deployment across all endpoints — don’t assume auto-update handled it.

A few additional steps worth doing now:

• Block inbound Office document attachments from external senders at the email gateway, at least until patching is confirmed.
• Use Group Policy to restrict OLE object execution as a short-term measure.
• Scan endpoints with Microsoft Defender for any signs of compromise on machines that may have been unpatched during the exposure window.

Word documents are the most trusted file format in most organizations. That trust is exactly what makes them useful as a delivery mechanism. Patch now — the window between “we know about this” and “widespread exploitation” tends to be short.