## https://sploitus.com/exploit?id=3E62D1D9-C87C-51D9-A847-0A971F515235
# CVE-2026-21509 — Educational Dummy PoC for Defender Visibility
> ⚠️ **This repository provides a harmless, non-exploit Proof of Concept.**
> Its purpose is to support **defensive research**, **EDR/AV visibility testing**, and **training**.
> It **does not exploit** CVE‑2026‑21509 and contains only **dummy OLE artifacts**.
---
## 📝 Overview
This repository contains an **educational PoC** simulating structural markers related to **CVE‑2026‑21509**, a Microsoft Office **security feature bypass** vulnerability.
The PoC generates a **harmless DOCX file** containing dummy embedded OLE components for **telemetry observation**, **sandbox analysis**, **EDR rule validation**, and **SOC training**.
**Nothing in this repository is malicious.
No code execution, no exploit chain, no harmful objects.**
---
## 📌 About CVE‑2026‑21509
CVE‑2026‑21509 is a **security feature bypass** in Microsoft Office caused by **reliance on untrusted inputs in a security decision**, allowing an unauthorized attacker to bypass OLE protections locally after the user opens a crafted document. [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)
The vulnerability:
- Allows bypass of **OLE mitigations** in Microsoft Office and Microsoft 365 Apps. [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)
- Requires user interaction (the victim must open the file). [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)
- **Preview Pane is not an attack vector.** [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)
- Has a CVSS v3.1 score of **7.8 (High)**. [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)
- Is included in the **CISA Known Exploited Vulnerabilities (KEV)** catalog. [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)
### Affected product families
According to Microsoft and multiple advisories, the following are impacted:
- Office **2016**
- Office **2019**
- Office **LTSC 2021**
- Office **LTSC 2024**
- **Microsoft 365 Apps** for Enterprise [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)
---
## 🎯 Purpose of This PoC
This project exists **only** to:
- Help blue teams understand Office file structures related to OLE.
- Provide a **safe sample** to test:
- EDR detections
- ASR (Attack Surface Reduction) rules
- MOTW/Protected View behavior
- Sandbox analysis workflows
- Train SOC analysts on document‑based threat hunting.
Again:
> ❗ **This PoC does NOT exploit CVE‑2026‑21509.
> It only simulates harmless structural patterns for learning and detection testing.**
---
## 🔍 Inspecting the DOCX with 7‑Zip
You can analyze the generated file using **7‑Zip**:
1. Right‑click the file → **Open archive** (7‑Zip)
2. Inspect internal ZIP structure:
- `word/document.xml`
- `word/_rels/document.xml.rels`
- `word/embeddings/` (dummy `oleObjectX.bin`)
3. Extract for offline analysis, signature development, etc.
This helps defenders understand object relationships inside Office documents **without risk**.
---
## 🧪 Blue Team / EDR Checklist
When opening the dummy DOCX in an isolated environment, watch for:
- Office’s behavior when reading OLE relationships
- Registry access related to COM/OLE policy checks
- ASR rule triggers
- EDR telemetry for:
- OLE object parsing
- Office trust-policy evaluations
- Protected View transitions
- Any unexpected module loads
Reference OLE/COM behavior patterns explained in Microsoft’s advisory and analysis of CVE‑2026‑21509. [3](https://www.techrepublic.com/article/news-microsoft-office-zero-day-emergency-patch-january-2026/)
---
## 🔧 Mitigation (Real Vulnerability Context)
Microsoft has released:
- **Out‑of‑band patches** for multiple Office versions. [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)
- **Service‑side protections** for Office 2021+ (restart required). [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)
- Temporary **registry-based COM kill-bit mitigation** for Office 2016/2019 until patches roll out. [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)
CISA requires organizations to apply mitigations by the deadline listed in the KEV catalog. [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)
---
## ⚖️ Legal & Ethical Notice
- Use **only in isolated lab environments**.
- Do **not** send the file to production mailboxes or endpoints.
- The maintainers are **not responsible** for misuse.
- This PoC includes **no malicious payloads, no exploit chain, no harmful logic**.
---
## 📚 References
- NVD CVE‑2026‑21509 Entry [1](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)
- BleepingComputer OOB Patch Analysis [2](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/)
- TechRepublic OLE Bypass Deep Dive [3](https://www.techrepublic.com/article/news-microsoft-office-zero-day-emergency-patch-january-2026/)
- SecurityWeek Exploitation Overview [4](https://www.securityweek.com/microsoft-patches-office-zero-day-likely-exploited-in-targeted-attacks/)
---
## 📄 License
This project is provided strictly for **research and educational purposes**.