The National Information Technology Development Agency (NITDA) has warned of a serious zero-day vulnerability affecting Microsoft Office and urged users to update immediately.
In an advisory issued by the Computer Emergency Readiness and Response Team Nigeria, the agency said Microsoft released out-of-band security updates to fix the flaw, tracked as CVE-2026-21509.
The vulnerability carries a CVSS score of 7.8 and is already being exploited.
Microsoft confirmed the issue allows attackers to bypass security protections in Office by getting a user to open a specially crafted document. The attack requires user interaction. However, the Preview Pane is not considered an attack path.
According to the advisory, the flaw bypasses Object Linking and Embedding protections designed to shield users from vulnerable COM/ OLE controls.
If exploited, it can allow malicious code to run, enable further compromise of a system, and increase the risk of malware delivery, data theft or lateral movement within an organisation.
Several versions of Microsoft Office are affected. These include Office 2016, both 32-bit and 64-bit editions, Office 2019 in 32-bit and 64-bit versions, Microsoft 365 Apps, and Office 2021 and later releases.
Microsoft noted: “Office 2021 and later versions are automatically protected through a service-side mitigation, but users must restart their Office applications for the protection to take effect.”
For Office 2016 and 2019, users should install the latest out-of-band security updates without delay. Those running Office 2021 and newer versions need to restart their applications to activate the service-side protection.
Where organisations cannot apply updates immediately, the advisory recommends implementing a registry-based mitigation and maintaining general security hygiene.
The agency also advised organisations to educate staff on the risks of opening unsolicited or unexpected Office documents. It further urged the use of endpoint protection and email filtering tools, while calling for close monitoring of systems for suspicious Microsoft Office-related activity.
Given that exploitation has already been confirmed, the agency said immediate action is necessary to reduce exposure.
