Overview
- Microsoft confirmed active exploitation of a security feature bypass in Office that carries a CVSS score of 7.8 and affects Office 2016, Office 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.
- Successful attacks require recipients to open a malicious Office file, and Microsoft states the Preview Pane is not an attack vector.
- Customers on Office 2021 and later receive a service-side protection that activates after restarting Office applications.
- Updates for Office 2016 and 2019 are now available, including builds 16.0.5539.1001 (Office 2016) and 16.0.10417.20095 (Office 2019), with a registry-based COM Compatibility workaround documented for environments that cannot immediately patch.
- Microsoft has withheld technical details and no public proof-of-concept is available, with discovery credited to MSTIC, MSRC, and the Office Product Group Security Team.