Full Report
Microsoft security advisory – January 2026 monthly rollup (AV26-024) – Update 1
Analysis Summary
This summary focuses on the critical updates introduced in Microsoft's January 2026 Monthly Rollup (AV26-024) and the subsequent Update 1, specifically highlighting the actively exploited vulnerability mentioned.
# Vulnerability: Actively Exploited Important Vulnerability in Microsoft Products (CVE-2026-21509)
## CVE Details
* **CVE ID:** CVE-2026-21509 (Note: Severity score was not provided in the source material, derived from context as an "important vulnerability" addressed out-of-band, and CVE-2026-20805 was also mentioned as exploited.)
* **CVSS Score:** N/A (Source does not provide score)
* **CWE:** N/A
## Affected Systems
* **Products:** Azure Connected Machine Agent, Azure Core shared client library for Python, Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office Deployment Tool, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, Microsoft SQL Server 2022, Microsoft SQL Server 2025, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition, Microsoft Word 2016, Office Online Server, Windows 10, Windows 11, Windows Admin Center in Azure Portal, Windows SDK, Windows Server (2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 2025). (This list reflects products patched in AV26-024; specific products affected by CVE-2026-21509 are likely within this set, particularly Office/Windows components based on the advisory link provided).
* **Versions:** All applicable versions prior to the January 2026 updates (AV26-024) and the subsequent Out-of-Band patch for CVE-2026-21509.
* **Configurations:** N/A
## Vulnerability Description
The advisory addresses multiple vulnerabilities addressed in the January 2026 rollup (AV26-024). **CVE-2026-21509** is specifically noted as an **Important** vulnerability that was addressed via an Out-of-Band update on January 26, 2026, described generally as a "Microsoft Office Security Feature Bypass Vulnerability."
## Exploitation
* **Status:** **Exploited in the wild** (Reported exploitation for CVE-2026-21509 and CVE-2026-20805).
* **Complexity:** N/A (Likely low given active exploitation by threat actors)
* **Attack Vector:** Unknown/Implied Network/Local based on the nature of Office/OS vulnerabilities.
## Impact
Impact levels (Confidentiality, Integrity, Availability) were not specified in the summary provided, but security feature bypasses typically impact Confidentiality and Integrity significantly, and in some cases, Availability.
## Remediation
### Patches
* **AV26-024 January 2026 Monthly Rollup:** Updates released January 13, 2026.
* **Out-of-Band Update:** Specific patch addressing CVE-2026-21509 released January 26, 2026. Users should ensure both the monthly rollup and the subsequent OOB patch are applied. (Specific patch versions are detailed in the official Microsoft Security Update Guide).
### Workarounds
No specific workarounds were detailed in the provided context. Immediate patching is highly recommended due to active exploitation.
## Detection
* **Indicators of Compromise:** Not specified in the source material.
* **Detection methods and tools:** Reviewing logs for indicators related to the exploitation paths of CVE-2026-21509. CISA added this CVE to their **Known Exploited Vulnerabilities (KEV) Database**, meaning detection efforts should prioritize systems missing the relevant patches.
## References
* Vendor Advisories:
* [January 2026 Security Updates](https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan)
* [Security Update Guide (General)](https://msrc.microsoft.com/update-guide/en-us)
* [Microsoft Office Security Feature Bypass Vulnerability (CVE-2026-21509)](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509)
* [CISA KEV: CVE-2026-21509](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-21509)