CVE-2026-21509
Azure Connected Machine Agent Azure Core shared client library for Python Microsoft 365 Apps for Enterprise Microsoft Excel 2016 Microsoft Office 2016 Microsoft Office 2019 Microsoft Office Deployment Tool Microsoft Office LTSC 2021 Microsoft Office LTSC 2024 Microsoft Office LTSC for Mac 2021 Microsoft Office LTSC for Mac 2024 Microsoft SQL Server 2022 Microsoft SQL Server 2025 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Server 2019 Microsoft SharePoint Server Subscription Edition Microsoft Word 2016 Office Online Server Windows 10 Windows 11 Windows Admin Center in Azure Portal Windows SDK Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025 Update 1 On January 26, 2026, Microsoft published an out-of-band security advisory to address an important vulnerability CVE-2026-21509. As well, on January 26, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-21509 to their Known Exploited Vulnerabilities (KEV) Database. Microsoft has received reports that CVE-2026-20805 and CVE-2026-21509 are being exploited. Update 2 On March 18, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20963 to their Known Exploited Vulnerabilities (KEV) Database. The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.
EPSS 15.29% · 94.7th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Windows 11 | |
| Microsoft | Microsoft SharePoint Server 2019 | |
| Microsoft | Windows Admin Center in Azure Portal | |
| Microsoft | Windows 10 | |
| Microsoft | Microsoft SQL Server 2022 | |
| Microsoft | Windows Server 2008 | |
| Azure | Azure Core shared client library for Python | |
| Microsoft | Windows Server 2022 | |
| Microsoft | Windows Server 2016 | |
| Azure | Azure Connected Machine Agent | |
| Microsoft | Microsoft Office LTSC for Mac 2024 | |
| Microsoft | Microsoft Office LTSC for Mac 2021 | |
| Microsoft | Microsoft Office LTSC 2021 | |
| Microsoft | Windows Server 2025 | |
| Microsoft | Microsoft SharePoint Enterprise Server 2016 | |
| Microsoft | Microsoft SharePoint Server Subscription Edition | |
| Microsoft | Microsoft Office Deployment Tool | |
| Microsoft | Microsoft Word 2016 | |
| Office | Office Online Server | |
| Microsoft | Microsoft Excel 2016 |
…and 10 more
Timeline
- Jan 21, 1970 VulnCheck XDB Entry
- Jul 2, 2021 PoC Published
- Jan 13, 2026 CVE Published
- Jan 26, 2026 CISA KEV Added
- Jan 26, 2026 VulnCheck KEV Exploitation
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
References
- https://cyber.gc.ca/en/alerts-advisories/microsoft-security-advisory-january-2026-monthly-rollup-av26-024 advisory
- https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan vendor
- https://msrc.microsoft.com/update-guide/en-us vendor
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 vendor
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-21509 advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-20963 advisory