Share
## https://sploitus.com/exploit?id=E426E2E7-A294-54CF-B700-D24822151136
# CVE-2026-21509 Mitigation Script

Traditional Chinese version: [README_zh-TW.md](README_zh-TW.md)

## Overview
This script applies a registry-based mitigation to protect against CVE-2026-21509 (Microsoft Office security feature bypass vulnerability), which has been exploited in the wild.

**CVE ID:** CVE-2026-21509  
**Severity:** Important  
**Impact:** Security Feature Bypass  
**Affected Products:** Microsoft Office 2016 and 2019

## Vulnerability Details
- **Attack Vector:** Local
- **User Interaction:** Required
- **CVSS Score:** 7.8 (Base) / 7.2 (Temporal)
- **Exploitation Status:** Exploited in the wild

## Important Notes

Before running the script, please visit:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
In the Security Updates section, confirm there is a download link that matches your Office version.

### Who needs this script?
- **Office 2016 and 2019 users:** This mitigation is needed before installing the security update.
- **Office 2021 and later:** Already protected. No action required.

### This is a temporary mitigation
This registry change provides immediate protection but does not replace the official security update. You must still install the security update (KB5002713) as soon as possible.

## Included Files
1. `CVE-2026-21509_Mitigation.ps1` - PowerShell script that applies the registry keys
2. `Apply_CVE-2026-21509_Mitigation.bat` - Batch launcher (easier to run)
3. `README.md` - This file

## How to Use

### Method 1: Use the batch file (recommended)
1. Right-click `Apply_CVE-2026-21509_Mitigation.bat`
2. Choose "Run as administrator"
3. Read the on-screen information carefully
4. When prompted "Do you want to continue with the mitigation? (y/N)":
   - Enter `y` or `Y` and press Enter to continue
   - Enter any other character or press Enter to cancel
5. If you continue, the script creates a registry backup on your Desktop
6. Restart all Office applications after completion

### Method 2: Run PowerShell directly
1. Open PowerShell as administrator
2. Change to the script directory
3. Run: `Set-ExecutionPolicy Bypass -Scope Process -Force`
4. Run: `./CVE-2026-21509_Mitigation.ps1`
5. Follow the prompts to confirm
6. Restart all Office applications after completion

## What the Script Does

The script explains the changes in detail and asks for confirmation before applying them. The flow:

**Phase 1: Information and confirmation**
1. **Show vulnerability information**
   - CVE ID, severity, exploitation status
   - Affected Office versions

2. **List planned actions**
   - Registry backup location
   - Office install type detection
   - Registry paths and values to be added
   - Important reminders

3. **Ask for confirmation**
   - Prompt: "Do you want to continue with the mitigation? (y/N)"
   - `y` or `Y` continues, anything else cancels

**Phase 2: Apply changes** (only after confirmation)
1. **[Step 1/4] Create a registry backup** on the Desktop
2. **[Step 2/4] Detect your Office configuration** (32-bit/64-bit, MSI/Click-to-Run)
3. **[Step 3/4] Apply registry keys** to the appropriate location:
   - MSI Office: `HKLM\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility`
   - Click-to-Run: `HKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\...`
   - Create CLSID key: `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`
   - Set compatibility flags: `0x00000400`
4. **[Step 4/4] Provide a detailed results report**

## Registry Paths Applied

Depending on your system and Office configuration, the script applies changes to one or more of the following paths:

- **64-bit MSI Office (or 32-bit on 32-bit Windows):**
  ```
  HKLM\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
  ```

- **32-bit MSI Office on 64-bit Windows:**
  ```
  HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
  ```

- **64-bit Click-to-Run (or 32-bit on 32-bit Windows):**
  ```
  HKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
  ```

- **32-bit Click-to-Run on 64-bit Windows:**
  ```
  HKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
  ```

## After Running the Script

1. **Restart all Office applications** (Word, Excel, PowerPoint, etc.)
2. **Install the security update:**
   - KB article: 5002713
   - Download from Microsoft Update Catalog
   - Or wait for Windows Update to deliver it

## Verification

To verify that the registry keys were applied:
1. Press `Win + R`, type `regedit`, and press Enter
2. Navigate to one of the paths listed above based on your Office configuration
3. Verify the CLSID key exists and `Compatibility Flags` = `0x00000400`

## Rollback Instructions

If you need to remove the mitigation:
1. Find the registry backup file on your Desktop: `RegistryBackup_CVE-2026-21509_*.reg`
2. Double-click it to restore the registry
3. Restart Office applications

Or manually delete the registry keys created by the script.

## System Requirements
- Windows OS
- Microsoft Office 2016 or 2019 (MSI or Click-to-Run)
- Administrator privileges
- PowerShell 5.0 or later

## Security Update Information

### Microsoft official security updates apply to:
- Microsoft Office 2016 (32-bit and 64-bit)
- Microsoft Office 2019 (32-bit and 64-bit)
- Microsoft Office LTSC 2021 (32-bit and 64-bit)
- Microsoft Office LTSC 2024 (32-bit and 64-bit)
- Microsoft 365 Apps for enterprise

### Update build numbers:
- **Office 2016:** 16.0.5539.1001
- **Office 2019:** 16.0.10417.20095
- **Office 2021/2024/M365:** See https://aka.ms/OfficeSecurityReleases

## References
- Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
- KB article: https://support.microsoft.com/help/5002713
- Security update download: https://www.microsoft.com/zh-tw/download/details.aspx?id=108535
- Registry backup guide: https://support.microsoft.com/zh-tw/help/322756

## Disclaimer
This script is provided "as is" without warranty of any kind. Test in a non-production environment first. The registry backup feature helps ensure you can restore changes if needed.

Code generation note: This code was generated with Claude AI.

## Support
If you have questions about this vulnerability, contact Microsoft Support or refer to official guidance from the Microsoft Security Response Center.

## FAQ

### Q: Are updates for Office 2016 and 2019 available now?
A: Yes. As of January 26, 2026, Microsoft has released security updates for Office 2016 and 2019. Customers should ensure these updates are installed to protect against this vulnerability.

### Q: How do I check my installed version?
A:
1. Open any Office app (Word, Excel, etc.)
2. Go to "File" > "Account"
3. Check the version information under "About"

### Q: Do I need to apply the registry mitigation first?
A:
- **Office 2016/2019:** Yes. Apply this mitigation before installing the security update.
- **Office 2021 and later:** No. Already protected.

### Q: Do I still need to install the update after applying the mitigation?
A: Yes. This registry mitigation is temporary. You must install the official security update for full protection.

### Q: Has this vulnerability been publicly disclosed?
A: No, but exploitation has been detected in the wild.

### Q: I use Microsoft 365. Do I need to do anything?
A: Microsoft 365 Apps for enterprise users should ensure the latest updates are installed. Systems configured for automatic updates do not require additional action.

## Troubleshooting

### Error: "This script must be run as administrator"
**Resolution:** Right-click the batch file and select "Run as administrator"

### Error: PowerShell execution policy
**Resolution:** Open PowerShell as administrator and run:
```powershell
Set-ExecutionPolicy Bypass -Scope Process -Force
```

### Office installation not found
**Possible causes:**
- You may have Office 2021 or later installed (mitigation not needed)
- Office installed in a non-standard location
- Using Office Online or the web version

### Registry changes did not take effect
**Resolution:**
1. Confirm the script ran with administrator privileges
2. Restart all Office applications
3. Reboot the computer if needed

## Technical Details

### Blocked COM object
This mitigation blocks the following CLSID:
- `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`

This CLSID is associated with a vulnerable OLE control that attackers can use to bypass Office security features.

### Compatibility flags
The value `0x00000400` (DWORD) instructs Office to block loading this specific COM object, preventing exploitation.

### Impact on normal use
This mitigation should not affect normal Office functionality. If you experience issues, use the Desktop backup file to restore the registry changes.

## Contact and Feedback

If you encounter issues or have suggestions for improvement:
- Review Microsoft official support documentation
- Contact your organization's IT support team
- Refer to the Microsoft Security Response Center website for the latest information