Users of Microsoft Office are facing a serious security threat that could allow hackers to take control of their computers simply by opening a malicious document.

The flaw is already being actively exploited, meaning attackers are currently using it in real-world attacks, putting government offices, businesses, and individual users at risk.

The National Computer Emergency Response Team (National CERT) has issued a high-severity advisory about a newly discovered Microsoft Office zero-day vulnerability, identified as CVE-2026-21509. A zero-day vulnerability is especially dangerous because it is exploited before users are fully protected.

According to National CERT, attackers can use this flaw to run harmful code on a victim’s system when a specially crafted Office file is opened. These attacks are mainly carried out through phishing emails and social engineering campaigns that include malicious Office attachments. In many cases, the attack happens during document processing or when embedded content is handled, without showing the usual security warnings.

If the attack is successful, hackers gain the same access level as the logged-in user. This can allow them to install malware, steal login credentials, extract sensitive data, and maintain long-term access to infected systems. National CERT warned that employees in executive, finance, legal, and other high-trust roles are particularly at risk, as they are often targeted in such attacks. The widespread use of Microsoft Office across organizations increases the potential damage.

The vulnerability affects several supported versions of Microsoft Office, including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise, especially in cases where ActiveX controls or embedded content are enabled.

Microsoft has acknowledged the issue and confirmed that the vulnerability is being actively exploited in the wild. The company has released emergency security updates along with temporary mitigation measures to reduce the risk.

National CERT has urged organizations to immediately apply Microsoft’s emergency patches and restart Office applications to ensure protections are activated. It also advised closely monitoring systems for signs of compromise, such as Office applications unexpectedly launching command-line or PowerShell processes. For systems where patching is delayed, National CERT recommended using temporary mitigations, improving email security controls, and strengthening endpoint monitoring to prevent large-scale attacks.