On January 26, 2026, Microsoft disclosed a critical zero-day vulnerability in its Office products, tracked as CVE-2026-21509. This vulnerability allows attackers to execute malicious code remotely, leading to full system compromise. The vulnerability was leveraged by APT28, a notorious Russia-linked threat group, as part of a wider cyberattack campaign known as Operation Neusploit. With APT28's history of targeting government organizations and critical infrastructure, CVE-2026-21509 has raised serious concerns regarding the security of sensitive systems, especially in Ukraine and Eastern Europe.
In this blog, we explain how the Microsoft Office CVE-2026-21509 vulnerability works and provide practical steps for validation and remediation.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Microsoft Office products are prime targets for attackers looking to gain unauthorized access to systems, steal data, or execute malicious code. Despite its robust security measures, Office's support for rich text formatting (RTF) files introduces potential risks when improperly handled or exploited by attackers.
On January 26, 2026, Microsoft released a security advisory for CVE-2026-21509, a critical zero-day vulnerability in Microsoft Office products [1]. This vulnerability, which affects versions of Office that process RTF files, allows attackers to exploit it via specially crafted documents, resulting in remote code execution. CVE-2026-21509 has a CVSS score of 7.8 (High) due to its high impact and the ease with which it can be exploited.
The vulnerability arises from improper parsing of RTF files, leading to the execution of malicious code when a victim opens an infected document. Once exploited, the attacker can trigger a chain of events that lead to the download of further payloads like malicious DLL files. These payloads establish backdoors (such as "MiniDoor" and "PixyNetLoader"), allowing the attacker to gain control over the victim's system, steal sensitive information, and maintain persistence. Exploiting this vulnerability also enables the attacker to bypass security controls by using legitimate applications like Microsoft Office to carry out their attack.
The affected products are listed below, and organizations are advised to upgrade their vulnerable Microsoft Office products to the patched versions.
|
Vulnerability |
CVSS Score |
Affected Products |
|
CVE-2026-21509 |
7.8 (High) |
|
In January 2026, the Russian APT group APT28, also known as Fancy Bear, began exploiting the CVE-2026-21509 vulnerability in Microsoft Office products as part of a new campaign, Operation Neusploit [2]. This vulnerability, found in specially crafted RTF documents, allowed the attackers to deliver malicious payloads once the document was opened.
APT28 targeted Ukraine, using phishing emails with malicious RTF attachments to infiltrate government agencies and critical sectors. The exploit triggered the download of malware such as MiniDoor, which stole emails, and PixyNetLoader, which deployed a more sophisticated backdoor known as Covenant Grunt. The attackers used these tools to maintain persistent access to compromised systems, allowing them to gather intelligence and monitor sensitive communications.
CVE-2026-21509 stems from how Microsoft Office handles RTF (Rich Text Format) files. APT28 exploits this by sending specially crafted RTF documents in phishing emails. When a user opens the document, the Office application improperly parses the RTF file, allowing the attacker to inject malicious code. This exploit bypasses document validation, enabling the execution of embedded payloads.
Once the document is opened, the exploit downloads a malicious DLL from an external server controlled by APT28. This DLL is designed to execute further payloads that give the attackers control over the compromised system. By establishing a network connection, the DLL fetches and executes additional malicious files, advancing the attack.
The malicious DLL serves as a dropper, delivering key payloads like MiniDoor, which steals emails from Microsoft Outlook, and PixyNetLoader, which installs Covenant Grunt. These payloads ensure persistent access to the victim's system and create a stable channel for the attacker to issue commands remotely.
To maintain long-term access, the malicious DLL hijacks COM objects and sets up scheduled tasks that automatically relaunch the exploit upon system restart or Office interaction. This persistence allows APT28 to control the system without detection. The Covenant Grunt implant ensures communication with the attacker's server, enabling continuous remote control of the compromised system.
We also strongly suggest simulating the Microsoft Office CVE-2026-21509 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Microsoft Office CVE-2026-21509 vulnerability exploitation and related APT28 attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
65657 |
Microsoft Office CVE-2026-21509 Bypass Vulnerability Download Threat |
Network Infiltration |
|
89628 |
Microsoft Office CVE-2026-21509 Bypass Vulnerability Email Threat |
Email Infiltration (Phishing) |
|
30908 |
Operation Neusploit Campaign Malware Download Threat |
Network Infiltration |
|
86108 |
Operation Neusploit Campaign Malware Email Threat |
Email Infiltration (Phishing) |
|
55318 |
Covenant RAT Download Threat |
Network Infiltration |
|
64303 |
Covenant RAT Email Threat |
Email Infiltration (Phishing) |
|
91430 |
PixyNetLoader Loader Download Threat |
Network Infiltration |
|
84226 |
PixyNetLoader Loader Email Threat |
Email Infiltration (Phishing) |
|
77207 |
PixyNetLoader Malware Dropper Download Threat |
Network Infiltration |
|
97682 |
PixyNetLoader Malware Dropper Email Threat |
Email Infiltration (Phishing) |
|
43803 |
Sofacy Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
21461 |
Sofacy Threat Group Campaign Malware Email Threat |
Email Infiltration (Phishing) |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] "Security Update Guide - Microsoft Security Response Center." Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
[2] S. Singh and R. Tay, "Operation Neusploit: APT28 Uses CVE-2026-21509," Feb. 02, 2026. Available: https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit