CVE-2026-21514: Microsoft 365 Apps Auth Bypass Flaw

CVE-2026-21514 Overview

CVE-2026-21514 is a security feature bypass vulnerability in Microsoft Office Word that stems from reliance on untrusted inputs in security decisions. This vulnerability allows an unauthorized attacker to bypass security features locally, potentially enabling them to circumvent protections designed to prevent malicious document execution.

Critical Impact

This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation allows attackers to bypass Word's security mechanisms, potentially leading to unauthorized code execution with the privileges of the current user.

Affected Products

• Microsoft 365 Apps for Enterprise (x64 and x86)
• Microsoft Office Long Term Servicing Channel 2021 (Windows x64/x86 and macOS)
• Microsoft Office Long Term Servicing Channel 2024 (Windows x64/x86 and macOS)

Discovery Timeline

• 2026-02-10 - CVE-2026-21514 published to NVD
• 2026-02-11 - Last updated in NVD database

Technical Details for CVE-2026-21514

Vulnerability Analysis

This vulnerability is classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision). The flaw occurs when Microsoft Word processes certain inputs and incorrectly trusts data that should be validated or sanitized before being used in security-critical decisions. This design weakness allows attackers to manipulate the inputs in a way that causes Word to make incorrect security determinations.

The vulnerability requires local access and user interaction to exploit, typically through a malicious document that a user must open. Once opened, the crafted document can trigger the security bypass, potentially allowing further malicious actions that would normally be blocked by Word's built-in security features.

Root Cause

The root cause lies in Microsoft Word's improper handling of input validation during security decision-making processes. The application relies on data that can be controlled by an attacker when making determinations about whether certain actions should be permitted or blocked. This trust assumption is fundamentally flawed when processing untrusted documents, as attackers can craft inputs specifically designed to pass security checks while carrying malicious payloads.

Attack Vector

The attack vector is local, requiring an attacker to convince a user to open a specially crafted Word document. This is commonly achieved through social engineering tactics such as phishing emails with malicious attachments or by hosting the document on a compromised website.

Once the victim opens the malicious document, the vulnerability is triggered during the security decision process. The attacker-controlled input causes Word to bypass its normal security features, which could allow macro execution, embedded object activation, or other actions that would typically be blocked by security policies. Given that this vulnerability has been observed in active exploitation, organizations should treat remediation as a high priority.

Detection Methods for CVE-2026-21514

Indicators of Compromise

• Unusual Word document files with suspicious embedded objects or unconventional structure
• Word processes (WINWORD.EXE) spawning unexpected child processes
• Anomalous network connections originating from Microsoft Word processes
• Modified or disabled Word security settings without administrator authorization

Detection Strategies

• Monitor for Microsoft Word processes exhibiting abnormal behavior such as spawning command shells or PowerShell instances
• Implement endpoint detection rules to identify documents that attempt to manipulate security settings
• Deploy behavioral analysis to detect security feature bypass attempts in document processing
• Review email gateway logs for suspicious Word document attachments targeting your organization

Monitoring Recommendations

• Enable enhanced logging for Microsoft Office applications to capture detailed process activity
• Configure SIEM alerts for any Word-related security events indicating bypass attempts
• Monitor file system activity for temporary files created by Word in unusual locations
• Track user reports of unexpected security prompts or missing security warnings when opening documents

How to Mitigate CVE-2026-21514

Immediate Actions Required

• Apply Microsoft's security patches for all affected Microsoft 365 Apps and Office LTSC installations immediately
• Block suspicious Word documents at email gateways pending patch deployment
• Enable Protected View and ensure it remains enabled for all externally sourced documents
• Educate users about the ongoing exploitation and reinforce safe document handling practices

Patch Information

Microsoft has released security updates to address this vulnerability. Detailed patch information and download links are available in the Microsoft CVE-2026-21514 Advisory. Organizations should prioritize patching as this vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.

For Microsoft 365 Apps, updates are typically delivered through automatic update channels. For Office LTSC 2021 and 2024 deployments, administrators should download and deploy the appropriate security updates through their standard patch management processes.

Workarounds

• Enable Attack Surface Reduction (ASR) rules to block Office applications from creating child processes
• Configure Group Policy to enforce Protected View for all document sources
• Restrict macro execution to only digitally signed macros from trusted publishers
• Consider temporary network isolation for systems that cannot be immediately patched

# PowerShell: Enable ASR rule to block Office apps from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

# Verify ASR rule is enabled
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids