Share
## https://sploitus.com/exploit?id=3E62D1D9-C87C-51D9-A847-0A971F515235
# CVE-2026-21509 — Educational Dummy PoC for Defender Visibility

> ⚠️ **This repository provides a harmless, non-exploit Proof of Concept.**  
> Its purpose is to support **defensive research**, **EDR/AV visibility testing**, and **training**.  
> It **does not exploit** CVE‑2026‑21509 and contains only **dummy OLE artifacts**.

---

## 📝 Overview

This repository contains an **educational PoC** simulating structural markers related to **CVE‑2026‑21509**, a Microsoft Office **security feature bypass** vulnerability.  
The PoC generates a **harmless DOCX file** containing dummy embedded OLE components for **telemetry observation**, **sandbox analysis**, **EDR rule validation**, and **SOC training**.

**Nothing in this repository is malicious.  
No code execution, no exploit chain, no harmful objects.**

---

## 📌 About CVE‑2026‑21509

CVE‑2026‑21509 is a **security feature bypass** in Microsoft Office caused by **reliance on untrusted inputs in a security decision**, allowing an unauthorized attacker to bypass OLE protections locally after the user opens a crafted document. [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)

The vulnerability:

- Allows bypass of **OLE mitigations** in Microsoft Office and Microsoft 365 Apps. [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)  
- Requires user interaction (the victim must open the file). [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)  
- **Preview Pane is not an attack vector.** [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)  
- Has a CVSS v3.1 score of **7.8 (High)**. [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)  
- Is included in the **CISA Known Exploited Vulnerabilities (KEV)** catalog. [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)  

### Affected product families

According to Microsoft and multiple advisories, the following are impacted:  
- Office **2016**  
- Office **2019**  
- Office **LTSC 2021**  
- Office **LTSC 2024**  
- **Microsoft 365 Apps** for Enterprise [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)  

---

## 🎯 Purpose of This PoC

This project exists **only** to:

- Help blue teams understand Office file structures related to OLE.  
- Provide a **safe sample** to test:
  - EDR detections  
  - ASR (Attack Surface Reduction) rules  
  - MOTW/Protected View behavior  
  - Sandbox analysis workflows  
- Train SOC analysts on document‑based threat hunting.

Again:

> ❗ **This PoC does NOT exploit CVE‑2026‑21509.  
> It only simulates harmless structural patterns for learning and detection testing.**

---

## 🔍 Inspecting the DOCX with 7‑Zip

You can analyze the generated file using **7‑Zip**:

1. Right‑click the file → **Open archive** (7‑Zip)  
2. Inspect internal ZIP structure:
   - `word/document.xml`
   - `word/_rels/document.xml.rels`
   - `word/embeddings/` (dummy `oleObjectX.bin`)
3. Extract for offline analysis, signature development, etc.

This helps defenders understand object relationships inside Office documents **without risk**.

---

## 🧪 Blue Team / EDR Checklist

When opening the dummy DOCX in an isolated environment, watch for:

- Office’s behavior when reading OLE relationships  
- Registry access related to COM/OLE policy checks  
- ASR rule triggers  
- EDR telemetry for:
  - OLE object parsing  
  - Office trust-policy evaluations  
  - Protected View transitions  
  - Any unexpected module loads

Reference OLE/COM behavior patterns explained in Microsoft’s advisory and analysis of CVE‑2026‑21509. [3](https://www.techrepublic.com/article/news-microsoft-office-zero-day-emergency-patch-january-2026/)

---

## 🔧 Mitigation (Real Vulnerability Context)

Microsoft has released:

- **Out‑of‑band patches** for multiple Office versions. [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)  
- **Service‑side protections** for Office 2021+ (restart required). [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)  
- Temporary **registry-based COM kill-bit mitigation** for Office 2016/2019 until patches roll out. [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)  

CISA requires organizations to apply mitigations by the deadline listed in the KEV catalog. [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)

---

## ⚖️ Legal & Ethical Notice

- Use **only in isolated lab environments**.  
- Do **not** send the file to production mailboxes or endpoints.  
- The maintainers are **not responsible** for misuse.  
- This PoC includes **no malicious payloads, no exploit chain, no harmful logic**.

---

## 📚 References

- NVD CVE‑2026‑21509 Entry [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)  
- BleepingComputer OOB Patch Analysis [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)  
- TechRepublic OLE Bypass Deep Dive [3](https://www.techrepublic.com/article/news-microsoft-office-zero-day-emergency-patch-january-2026/)  
- SecurityWeek Exploitation Overview [4](https://www.securityweek.com/microsoft-patches-office-zero-day-likely-exploited-in-targeted-attacks/)  

---

## 📄 License

This project is provided strictly for **research and educational purposes**.