KQL Search

Query Details

HomeAI ToolsDevice Query

Microsoft Office Security Feature Bypass Vulnerability CVE 2026 21509

Query

**Microsoft Office Security Feature Bypass Vulnerability CVE-2026-21509**

Microsoft disclosed CVE-2026-21509 an important vulnerability that allows attackers to bypass Office security protections when a user opens a malicious document (🔗 in the comments). Exploitation has already been observed in the wild.
This mainly affects Office 2016 and 2019, which are still widely used.

✅ How to reduce the risk:

- Install the January 2026 security updates for Office 2016 / 2019
- If patching is delayed, apply the recommended registry mitigation to block the vulnerable COM/OLE control. (Microsoft 365 Apps and newer Office versions are protected via service-side mitigations (restart required)

Even “non-critical” Office vulnerabilities matter — a single document can be enough to trigger an attack.


🚨Execute the following KQL query to detect the affected Version

```
// Sergio Albea 27-01-2026
let Fixed_Office2016 = "16.0.5539.1001";
let Fixed_Office2019 = "16.0.10417.20095";
DeviceTvmSoftwareInventory
| where SoftwareName has_any ("Office")
| extend V = tostring(SoftwareVersion)
| extend IsOffice2016 = SoftwareName has "2016"
| extend IsOffice2019 = SoftwareName has "2019"
| extend IsVuln =
 case(
 IsOffice2016 and (parse_version(V) < parse_version(Fixed_Office2016)), true,
 IsOffice2019 and (parse_version(V) < parse_version(Fixed_Office2019)), true,
 false
 )
| where IsVuln == true
| project DeviceName, SoftwareName, strcat('🚨', SoftwareVersion), Fixed_Office2016, iff(SoftwareName contains "2016",'📣 Fixed_Office2016','📣 Fixed_Office2019')
```

Explanation

This KQL query is designed to identify devices that are running vulnerable versions of Microsoft Office 2016 or 2019, which are susceptible to the CVE-2026-21509 security feature bypass vulnerability. Here's a simplified breakdown of what the query does:

  1. Define Fixed Versions: It sets the fixed (patched) version numbers for Office 2016 and Office 2019, which are "16.0.5539.1001" and "16.0.10417.20095" respectively.

  2. Filter Software Inventory: It searches through the device software inventory for any software that includes "Office" in its name.

  3. Determine Office Version: It checks if the software is Office 2016 or Office 2019.

  4. Check Vulnerability: It compares the current version of Office on each device against the fixed version. If the current version is older (i.e., less than the fixed version), it marks the software as vulnerable.

  5. Output Results: For each device with a vulnerable version of Office, it outputs the device name, software name, current version (highlighted with an alert emoji), the fixed version, and a note indicating which fixed version applies (either for Office 2016 or 2019).

This query helps administrators quickly identify and prioritize devices that need to be updated or mitigated to protect against this specific vulnerability.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 27, 2026

Tables

DeviceTvmSoftwareInventory

Keywords

DeviceTvmSoftwareInventorySoftwareNameSoftwareVersionDeviceName

Operators

lethas_anytostringhascaseparse_version<==projectstrcatiffcontains

Actions