>_AYSOLI CYBERSECURITY
All Advisories
CRITICAL 2026-03-09

CVE-2026-21509 – Microsoft 365 Remote Code Execution via OLE Objects

A critical vulnerability in Microsoft 365 Apps (Enterprise/LTSC) enables arbitrary code execution through manipulated OLE objects embedded in Office documents — without requiring enabled macros. A single click on an attachment is sufficient for initial access.

What happened?

CVE-2026-21509 affects Microsoft 365 Apps in the Enterprise and LTSC editions. Attackers can execute arbitrary malicious code on a target system by embedding specially crafted OLE objects in Office documents (Word, Excel, PowerPoint) — no macros required. The attack only requires that the victim opens the document. A classic initial-access vector: the document arrives as an email attachment.

Microsoft has released a patch as part of the regular update cycle. Systems with automatic updates disabled or centrally managed environments remain exposed until the patch is manually applied.

Who is affected?

All organisations using the following products:

  • Microsoft 365 Apps for Enterprise
  • Microsoft 365 Apps LTSC
Particularly exposed: SMEs where automatic updates are disabled or rolled out with a delay, and environments with frequent document exchange via email.

What should you do?

  • 1.Immediately — force the update: Manually update all devices: File → Account → Update Options → Update Now.
  • 2.Centrally managed environments: Trigger deployment via Microsoft Endpoint Manager / Intune immediately.
  • 3.Check Protected View: Ensure that "Protected View" for internet-sourced attachments is enabled in Office options — it blocks OLE object execution until editing is explicitly activated.
  • 4.Email gateway: Verify whether Office documents from external sources are filtered or opened in a sandbox.
  • 5.Awareness: Remind employees not to open unexpected Office attachments — even from known senders.
This advisory is for informational purposes. Contact us for an analysis of your update strategy.