Ukraine’s Computer Emergency Response Team (CERT) says that Russian hackers are exploiting CVE-2026–21509, a recently patched vulnerability in multiple versions of Microsoft Office.

On January 26, Microsoft released an emergency out-of-band security update marking CVE-2026–21509 as an actively exploited zero-day flaw.

CERT-UA detected the distribution of malicious DOC files exploiting the flaw, themed around EU COREPER consultations in Ukraine, just three days after Microsoft’s alert.