Share
## https://sploitus.com/exploit?id=C74D580F-AB9A-53FA-BB5A-970EA4A7A470
# CVE-2026-21509 Office Kill-Bit Manager
PowerShell script to **check, apply, and test** the Kill-Bit protection for the **CVE-2026-21509** Microsoft Office zero-day vulnerability affecting Office 2016/2019/LTSC.
## What is CVE-2026-21509?
**Critical RCE vulnerability** in Microsoft Office OLE/COM handling (CVSS 9.8). Actively exploited by APT28 (Fancy Bear) via malicious RTF/DOC files targeting Shell.Explorer COM object `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`.
**Affected**: Office 2016, 2019, LTSC 2021/2024, Microsoft 365 Apps (pre-January 26, 2026 patches)
## Features
| Feature | Description |
|---------|-------------|
| **Kill-Bit Check** | Detects if protection is active in registry |
| **Auto-Patch** | Sets Kill-Bit for 32/64-bit Office |
| **Test File** | Creates RTF dummy to verify Kill-Bit blocks COM object |
| **KB Checker** | Lists KB5002694/KB5002695 patches |
| **Restore** | Removes Kill-Bit (post-official patch) |
| **Auto-detect** | Identifies Office architecture |
## Prerequisites
- **Windows 10/11** with **Office 2016+**
- **PowerShell 5.1+** (built-in)
- **Administrator rights** (required for registry)
## Installation
1. **Download** `CVE-2026-21509.ps1`
2. **Right-click** โ **"Run with PowerShell"** (as Administrator)
3. **Menu-driven** - no parameters needed
## Usage
```
=== CVE-2026-21509 Office Kill-Bit Management ===
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโ/โโโโโโโโโโโโโโโโโโโโโโโโโโโ/โโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Name: CVE-2026-21509.ps1
====================================================="
1. Check Kill-Bit Status [Recommended first]
2. Apply Kill-Bit Protection [If missing]
3. Test with Dummy COM File [Verify protection]
4. Remove Kill-Bit (Restore) [After official patch]
5. Check KB Updates [Patch status]
0. Exit
```
### Quick Start Workflow
```powershell
# 1. Check status
Option 1 โ "Kill-Bit MISSING" = Vulnerable!
# 2. Apply protection
Option 2 โ "PROTECTED! 2 registry entries patched"
# 3. Verify with test
Option 3 โ Creates test RTF โ Open in Word
โ Kill-Bit works = "Object cannot be activated"
โ Vulnerable = Object loads
```
## Test File Results
| Kill-Bit Status | Word Behavior | Protection |
|----------------|---------------|------------|
| **Active** | "Cannot activate object" / Blank area | โ
**SAFE** |
| **Inactive** | COM object loads / potential RCE | โ ๏ธ **RISK** |
## KB Patches
| KB | Office Version | Release |
|----|----------------|---------|
| **KB5002694** | Office 2016/2019 | Jan 26, 2026 |
| **KB5002695** | LTSC 2021/2024, M365 | Jan 26, 2026 |
**Option 5** shows installed status via `Get-HotFix`.
## Registry Locations
**64-bit Office**:
```
HKLM\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
"Compatibility Flags" = dword:00000400
```
**32-bit Office**:
```
HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\...
```
## Troubleshooting
| Issue | Solution |
|-------|----------|
| "Access denied" | Run as **Administrator** |
| "Office not found" | Installs Office 2016+ required |
| Test file "safe" but KB missing | Kill-Bit works, install KB anyway |
| Legit COM objects broken | Temporary - remove after KB install |
## Security Notes
- **Kill-Bit blocks ONLY this CLSID** - other Office functions unaffected
- **Official patches** automatically set/remove Kill-Bit
- **Test file is SAFE** - contains no executable code, only CLSID reference
- **Phishing still dangerous** - keep Protected View enabled
## After Patching
1. โ
Install **KB5002694/95** from Windows Update / [Update Catalog](https://catalog.update.microsoft.com)
2. โ
Option 4 โ **Remove Kill-Bit** (optional, patch handles it)
3. โ
Delete test file from `%TEMP%`
## License
[MIT License](LICENSE) - Free for personal/commercial use.
## Disclaimer
**Not official Microsoft software**. Use at your own risk. Tested on Windows 10/11 with Office 2016-2024.
***
**โญ Star on GitHub if helpful!**
**๐ Issues?** [Open an issue](https://github.com/suuhm/CVE-2026-21509-handler/issues)
**References**:
[CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities) | [MSRC](https://msrc.microsoft.com) | [BornCity Blog](https://borncity.com)