Users of Microsoft Office are facing a serious cybersecurity threat that could allow hackers to take control of a computer simply by opening a malicious document, Pakistan’s National Computer Emergency Response Team (National CERT) warned on Tuesday.
The high-severity vulnerability, tracked as CVE-2026-21509, is a zero-day flaw that is already being actively exploited in real-world attacks, raising risks for government departments, businesses, and individual users.
According to National CERT, attackers can execute malicious code when a specially crafted Office file is opened, often through phishing emails carrying infected attachments. In many cases, the attack occurs without triggering standard security warnings, particularly when embedded content or ActiveX controls are involved.
If successfully exploited, hackers gain the same access level as the logged-in user, allowing them to install malware, steal credentials, extract sensitive data, and maintain long-term system access. CERT said staff in executive, finance, legal, and other high-trust roles are especially targeted.
The flaw affects multiple versions of Microsoft Office, including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise.
Microsoft has acknowledged the vulnerability, confirmed it is being exploited “in the wild,” and has released emergency security updates along with temporary mitigation measures.
National CERT has urged organizations and users to immediately install the latest patches, restart Office applications, and monitor systems for suspicious activity, warning that delays could lead to widespread compromise.
