In late January 2026, a series of cyberattacks exploiting the CVE-2026-21509 vulnerability in Microsoft Office products was recorded. Microsoft reported the active exploitation of this vulnerability on January 26.
Just a few days later, DOC files containing a built-in exploit appeared in the public domain. One of them was related to consultations of the EU’s Committee of Permanent Representatives (COREPER) on the situation in Ukraine. Another file was distributed allegedly on behalf of the Ukrainian Hydrometeorological Center and was sent to more than 60 email addresses, primarily belonging to central executive authorities of Ukraine.
Opening a malicious document results in establishing a connection to an external resource via WebDAV, downloading malicious code, and launching the COVENANT framework. A legitimate cloud storage service, Filen (filen.io), is used for command-and-control purposes. The compromised system is also subjected to COM hijacking and the creation of a scheduled task to ensure repeated execution of the malicious code.
In addition to attacks against Ukrainian government bodies, three more documents with a similar exploit were identified and used in attacks against organizations in EU countries. In one case, the domain used in the attack was registered on the very day the attack was carried out.
Given the difficulty of rapidly updating Microsoft Office in certain environments, an increase in the number of attacks exploiting this vulnerability is expected. It is recommended to immediately apply the protective measures published by Microsoft, as well as to restrict or closely monitor interactions with the Filen infrastructure.
How IT Asset Visibility Can Help
The CVE-2026-21509 case once again confirms that the speed of response to vulnerability disclosure is critical. In situations where an exploit begins to be used just days after an official advisory is released, organizations must clearly understand:
- which versions of Microsoft Office are installed on workstations,
- which devices remain unpatched,
- where exactly the potential attack surface exists.
In this context, the Inventory module in Axence nVision can play an important role. Through centralized software inventory, auditing of installed versions, control over installations, and the ability to perform mass actions via the MS package manager, IT teams gain:
- a complete view of Microsoft Office deployment across the network,
- control over the update process,
- change history and auditing of the software environment.
Thus, while Inventory does not directly prevent exploitation of the vulnerability, it significantly reduces the exploit window and minimizes the number of potentially compromised workstations.
