Tag Archives: Office

About Remote Code Execution – Microsoft Word (CVE-2026-21514) vulnerability

About Remote Code Execution – Microsoft Word (CVE-2026-21514) vulnerability. This vulnerability is from February Microsoft Patch Tuesday. Reliance on Untrusted Inputs in a Security Decision (CWE-807) in Microsoft Office Word allows an unauthenticated attacker to bypass OLE security features when opening a malicious file. The vulnerability is NOT exploitable via the Preview Pane.

👾 Microsoft reports that the vulnerability is being exploited in the wild. It has been listed in CISA KEV since February 10.

💬 Microsoft has classified the vulnerability as a Security Feature Bypass, but given that exploiting such vulnerabilities can lead to arbitrary code execution, it seems reasonable to classify it as Remote Code Execution, similar to the actively exploited CVE-2026-21509.

🛠 No public exploits are available yet.

На русском

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products

Leave a reply

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products. A traditional monthly roundup of trending vulnerabilities. This time, compact and all-Microsoft.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

In total, two vulnerabilities:

🔻 RCE – Microsoft Office (CVE-2026-21509)
🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)

🟥 Trending Vulnerabilities Portal

На русском

About Remote Code Execution – Microsoft Office (CVE-2026-21509) vulnerability

Leave a reply

About Remote Code Execution – Microsoft Office (CVE-2026-21509) vulnerability. The vulnerability was urgently fixed on January 26, outside the regular Microsoft Patch Tuesday. Microsoft classified it as a Security Feature Bypass, but in fact, it is more of a Remote Code Execution. The vulnerability involves bypassing OLE (Object Linking and Embedding) security features in Microsoft 365 and Microsoft Office. It is exploited when opening malicious Office files (Preview Pane is safe).

⚙️ In Office 2021+, protection is enabled automatically via server-side changes after restarting the applications. For Office 2016/2019, updates must be installed or registry changes applied.

👾 Microsoft reports that the vulnerability is being exploited in the wild.

🛠 No public exploits are available yet.

На русском

January Microsoft Patch Tuesday

Leave a reply

January Microsoft Patch Tuesday. A total of 114 vulnerabilities, twice as many as in December. There is one vulnerability with evidence of in-the-wild exploitation:

🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)

There are also two vulnerabilities with public exploits:

🔸 RCE – Windows Deployment Services (CVE-2026-0386)
🔸 EoP – Windows Agere Soft Modem Driver (CVE-2023-31096)

Other notable vulnerabilities include:

🔹 RCE – Microsoft Office (CVE-2026-20952, CVE-2026-20953), Windows NTFS (CVE-2026-20840, CVE-2026-20922)
🔹 EoP – Desktop Windows Manager (CVE-2026-20871), Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876)
🔹 SFB – Secure Boot Certificate Expiration (CVE-2026-21265)

Also noteworthy, reported by Positive Technologies:

🟥 EoP – Windows Telephony Service (CVE-2026-20931)

🗒 Full Vulristics report

На русском

December Microsoft Patch Tuesday

Leave a reply

December Microsoft Patch Tuesday. A total of 56 vulnerabilities were fixed – 9 fewer than in November. There is one vulnerability with confirmed in-the-wild exploitation:

🔻 EoP – Windows Cloud Files Mini Filter Driver (CVE-2025-62221)

There are currently no vulnerabilities with publicly available exploits. Among the remaining vulnerabilities, the following stand out:

🔹 RCE – Microsoft Office (CVE-2025-62554, CVE-2025-62557), Microsoft PowerShell (CVE-2025-54100), Microsoft Outlook (CVE-2025-62562), GitHub Copilot for JetBrains (CVE-2025-64671)
🔹 EoP – Windows Win32k (CVE-2025-62458), Windows Cloud Files Mini Filter Driver (CVE-2025-62454, CVE-2025-62457), Windows Common Log File System Driver (CVE-2025-62470), Windows Remote Access Connection Manager (CVE-2025-62472), Windows Storage (CVE-2025-59516)

🗒 Full Vulristics report

На русском

July Microsoft Patch Tuesday

4 Replies

July Microsoft Patch Tuesday. There are 175 vulnerabilities in total, 33 of which appeared between June and July Patch Tuesday.

There are 2 vulnerabilities with the sign of exploitation in the wild:

🔻 Spoofing – Windows MSHTML Platform (CVE-2024-38112). It’s not clear what exactly is being spoofed. Let’s wait for the details. It is currently known that to exploit the vulnerability, an attacker must send the victim a malicious (MSHTML?) file, which the victim must somehow run/open.
🔻 Elevation of Privilege – Windows Hyper-V (CVE-2024-38080). This vulnerability allows an authenticated attacker to execute code with SYSTEM privileges. Again, no details. This could be interpreted that the guest OS user can gain privileges in the host OS (I hope this is not the case).

From the rest we can highlight:

🔸 Elevation of Privilege – various Windows components (CVE-2024-38059, CVE-2024-38066, CVE-2024-38100, CVE-2024-38034, CVE-2024-38079, CVE-2024-38085, CVE-2024-38062, CVE-2024-30079, CVE-2024-38050). EoPs quite often become exploitable.
🔸 Remote Code Execution – Windows Remote Desktop Licensing Service (CVE-2024-38074, CVE-2024-38076, CVE-2024-38077)
🔸 Remote Code Execution – Microsoft Office (CVE-2024-38021)
🔸 Remote Code Execution – Windows Imaging Component (CVE-2024-38060). All you need to do is upload a malicious TIFF file to the server.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-38023, CVE-2024-38024). Authentication is required, but “Site Owner” permissions are sufficient.

🗒 Vulristics report on July Microsoft Patch Tuesday

Vulristics shows an exploit existence for Spoofing – RADIUS Protocol (CVE-2024-3596) on GitHub, but in reality it is just a detection utility.

На русском

August 2023: GitHub PoCs, Vulristics, Qualys First-Party, Tenable ExposureAI, SC Awards and Rapid7, Anglo-Saxon list, MS Patch Tuesday, WinRAR, Juniper

2 Replies

August 2023: GitHub PoCs, Vulristics, Qualys First-Party, Tenable ExposureAI, SC Awards and Rapid7, Anglo-Saxon list, MS Patch Tuesday, WinRAR, Juniper. Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind.

Alternative video link (for Russia): https://vk.com/video-149273431_456239134

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Office

About Remote Code Execution – Microsoft Word (CVE-2026-21514) vulnerability

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products

About Remote Code Execution – Microsoft Office (CVE-2026-21509) vulnerability

January Microsoft Patch Tuesday

December Microsoft Patch Tuesday

July Microsoft Patch Tuesday

August 2023: GitHub PoCs, Vulristics, Qualys First-Party, Tenable ExposureAI, SC Awards and Rapid7, Anglo-Saxon list, MS Patch Tuesday, WinRAR, Juniper