Share
## https://sploitus.com/exploit?id=C74D580F-AB9A-53FA-BB5A-970EA4A7A470
# CVE-2026-21509 Office Kill-Bit Manager

PowerShell script to **check, apply, and test** the Kill-Bit protection for the **CVE-2026-21509** Microsoft Office zero-day vulnerability affecting Office 2016/2019/LTSC.

## What is CVE-2026-21509?

**Critical RCE vulnerability** in Microsoft Office OLE/COM handling (CVSS 9.8). Actively exploited by APT28 (Fancy Bear) via malicious RTF/DOC files targeting Shell.Explorer COM object `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`.

**Affected**: Office 2016, 2019, LTSC 2021/2024, Microsoft 365 Apps (pre-January 26, 2026 patches)

## Features

| Feature | Description |
|---------|-------------|
| **Kill-Bit Check** | Detects if protection is active in registry |
| **Auto-Patch** | Sets Kill-Bit for 32/64-bit Office |
| **Test File** | Creates RTF dummy to verify Kill-Bit blocks COM object |
| **KB Checker** | Lists KB5002694/KB5002695 patches |
| **Restore** | Removes Kill-Bit (post-official patch) |
| **Auto-detect** | Identifies Office architecture |

## Prerequisites

- **Windows 10/11** with **Office 2016+**
- **PowerShell 5.1+** (built-in)
- **Administrator rights** (required for registry)

## Installation

1. **Download** `CVE-2026-21509.ps1`
2. **Right-click** โ†’ **"Run with PowerShell"** (as Administrator)
3. **Menu-driven** - no parameters needed

## Usage

```
=== CVE-2026-21509 Office Kill-Bit Management ===

  โ–‘โ–ˆโ–€โ–€โ–‘โ–ˆโ–‘โ–ˆโ–‘โ–ˆโ–€โ–€โ–‘โ–‘โ–‘โ–‘โ–‘โ–€โ–€โ–„โ–‘โ–„โ–€โ–„โ–‘โ–€โ–€โ–„โ–‘โ–„โ–€โ–€โ–‘โ–‘โ–‘โ–‘โ–‘โ–€โ–€โ–„โ–‘โ–€โ–ˆโ–‘โ–‘โ–ˆโ–€โ–€โ–‘โ–„โ–€โ–„โ–‘โ–„โ–€โ–„
  โ–‘โ–ˆโ–‘โ–‘โ–‘โ–€โ–„โ–€โ–‘โ–ˆโ–€โ–€โ–‘โ–„โ–„โ–„โ–‘โ–„โ–€โ–‘โ–‘โ–ˆ/โ–ˆโ–‘โ–„โ–€โ–‘โ–‘โ–ˆโ–€โ–„โ–‘โ–„โ–„โ–„โ–‘โ–„โ–€โ–‘โ–‘โ–‘โ–ˆโ–‘โ–‘โ–€โ–€โ–„โ–‘โ–ˆ/โ–ˆโ–‘โ–‘โ–€โ–ˆ
  โ–‘โ–€โ–€โ–€โ–‘โ–‘โ–€โ–‘โ–‘โ–€โ–€โ–€โ–‘โ–‘โ–‘โ–‘โ–‘โ–€โ–€โ–€โ–‘โ–‘โ–€โ–‘โ–‘โ–€โ–€โ–€โ–‘โ–‘โ–€โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–€โ–€โ–€โ–‘โ–€โ–€โ–€โ–‘โ–€โ–€โ–‘โ–‘โ–‘โ–€โ–‘โ–‘โ–€โ–€โ–‘
  
  Name: CVE-2026-21509.ps1
  ====================================================="

1. Check Kill-Bit Status        [Recommended first]
2. Apply Kill-Bit Protection    [If missing]
3. Test with Dummy COM File     [Verify protection]
4. Remove Kill-Bit (Restore)    [After official patch]
5. Check KB Updates             [Patch status]
0. Exit
```

### Quick Start Workflow

```powershell
# 1. Check status
Option 1 โ†’ "Kill-Bit MISSING" = Vulnerable!

# 2. Apply protection  
Option 2 โ†’ "PROTECTED! 2 registry entries patched"

# 3. Verify with test
Option 3 โ†’ Creates test RTF โ†’ Open in Word
โœ“ Kill-Bit works = "Object cannot be activated"
โœ— Vulnerable = Object loads
```

## Test File Results

| Kill-Bit Status | Word Behavior | Protection |
|----------------|---------------|------------|
| **Active** | "Cannot activate object" / Blank area | โœ… **SAFE** |
| **Inactive** | COM object loads / potential RCE | โš ๏ธ **RISK** |

## KB Patches

| KB | Office Version | Release |
|----|----------------|---------|
| **KB5002694** | Office 2016/2019 | Jan 26, 2026 |
| **KB5002695** | LTSC 2021/2024, M365 | Jan 26, 2026 |

**Option 5** shows installed status via `Get-HotFix`.

## Registry Locations

**64-bit Office**:
```
HKLM\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
"Compatibility Flags" = dword:00000400
```

**32-bit Office**:
```
HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\...
```

## Troubleshooting

| Issue | Solution |
|-------|----------|
| "Access denied" | Run as **Administrator** |
| "Office not found" | Installs Office 2016+ required |
| Test file "safe" but KB missing | Kill-Bit works, install KB anyway |
| Legit COM objects broken | Temporary - remove after KB install |

## Security Notes

- **Kill-Bit blocks ONLY this CLSID** - other Office functions unaffected
- **Official patches** automatically set/remove Kill-Bit
- **Test file is SAFE** - contains no executable code, only CLSID reference
- **Phishing still dangerous** - keep Protected View enabled

## After Patching

1. โœ… Install **KB5002694/95** from Windows Update / [Update Catalog](https://catalog.update.microsoft.com)
2. โœ… Option 4 โ†’ **Remove Kill-Bit** (optional, patch handles it)
3. โœ… Delete test file from `%TEMP%`

## License

[MIT License](LICENSE) - Free for personal/commercial use.

## Disclaimer

**Not official Microsoft software**. Use at your own risk. Tested on Windows 10/11 with Office 2016-2024.

***

**โญ Star on GitHub if helpful!**  
**๐Ÿ› Issues?** [Open an issue](https://github.com/suuhm/CVE-2026-21509-handler/issues)

**References**:  
[CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities) | [MSRC](https://msrc.microsoft.com) | [BornCity Blog](https://borncity.com)