## https://sploitus.com/exploit?id=E426E2E7-A294-54CF-B700-D24822151136
# CVE-2026-21509 Mitigation Script
Traditional Chinese version: [README_zh-TW.md](README_zh-TW.md)
## Overview
This script applies a registry-based mitigation to protect against CVE-2026-21509 (Microsoft Office security feature bypass vulnerability), which has been exploited in the wild.
**CVE ID:** CVE-2026-21509
**Severity:** Important
**Impact:** Security Feature Bypass
**Affected Products:** Microsoft Office 2016 and 2019
## Vulnerability Details
- **Attack Vector:** Local
- **User Interaction:** Required
- **CVSS Score:** 7.8 (Base) / 7.2 (Temporal)
- **Exploitation Status:** Exploited in the wild
## Important Notes
Before running the script, please visit:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
In the Security Updates section, confirm there is a download link that matches your Office version.
### Who needs this script?
- **Office 2016 and 2019 users:** This mitigation is needed before installing the security update.
- **Office 2021 and later:** Already protected. No action required.
### This is a temporary mitigation
This registry change provides immediate protection but does not replace the official security update. You must still install the security update (KB5002713) as soon as possible.
## Included Files
1. `CVE-2026-21509_Mitigation.ps1` - PowerShell script that applies the registry keys
2. `Apply_CVE-2026-21509_Mitigation.bat` - Batch launcher (easier to run)
3. `README.md` - This file
## How to Use
### Method 1: Use the batch file (recommended)
1. Right-click `Apply_CVE-2026-21509_Mitigation.bat`
2. Choose "Run as administrator"
3. Read the on-screen information carefully
4. When prompted "Do you want to continue with the mitigation? (y/N)":
- Enter `y` or `Y` and press Enter to continue
- Enter any other character or press Enter to cancel
5. If you continue, the script creates a registry backup on your Desktop
6. Restart all Office applications after completion
### Method 2: Run PowerShell directly
1. Open PowerShell as administrator
2. Change to the script directory
3. Run: `Set-ExecutionPolicy Bypass -Scope Process -Force`
4. Run: `./CVE-2026-21509_Mitigation.ps1`
5. Follow the prompts to confirm
6. Restart all Office applications after completion
## What the Script Does
The script explains the changes in detail and asks for confirmation before applying them. The flow:
**Phase 1: Information and confirmation**
1. **Show vulnerability information**
- CVE ID, severity, exploitation status
- Affected Office versions
2. **List planned actions**
- Registry backup location
- Office install type detection
- Registry paths and values to be added
- Important reminders
3. **Ask for confirmation**
- Prompt: "Do you want to continue with the mitigation? (y/N)"
- `y` or `Y` continues, anything else cancels
**Phase 2: Apply changes** (only after confirmation)
1. **[Step 1/4] Create a registry backup** on the Desktop
2. **[Step 2/4] Detect your Office configuration** (32-bit/64-bit, MSI/Click-to-Run)
3. **[Step 3/4] Apply registry keys** to the appropriate location:
- MSI Office: `HKLM\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility`
- Click-to-Run: `HKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\...`
- Create CLSID key: `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`
- Set compatibility flags: `0x00000400`
4. **[Step 4/4] Provide a detailed results report**
## Registry Paths Applied
Depending on your system and Office configuration, the script applies changes to one or more of the following paths:
- **64-bit MSI Office (or 32-bit on 32-bit Windows):**
```
HKLM\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
```
- **32-bit MSI Office on 64-bit Windows:**
```
HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
```
- **64-bit Click-to-Run (or 32-bit on 32-bit Windows):**
```
HKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
```
- **32-bit Click-to-Run on 64-bit Windows:**
```
HKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
```
## After Running the Script
1. **Restart all Office applications** (Word, Excel, PowerPoint, etc.)
2. **Install the security update:**
- KB article: 5002713
- Download from Microsoft Update Catalog
- Or wait for Windows Update to deliver it
## Verification
To verify that the registry keys were applied:
1. Press `Win + R`, type `regedit`, and press Enter
2. Navigate to one of the paths listed above based on your Office configuration
3. Verify the CLSID key exists and `Compatibility Flags` = `0x00000400`
## Rollback Instructions
If you need to remove the mitigation:
1. Find the registry backup file on your Desktop: `RegistryBackup_CVE-2026-21509_*.reg`
2. Double-click it to restore the registry
3. Restart Office applications
Or manually delete the registry keys created by the script.
## System Requirements
- Windows OS
- Microsoft Office 2016 or 2019 (MSI or Click-to-Run)
- Administrator privileges
- PowerShell 5.0 or later
## Security Update Information
### Microsoft official security updates apply to:
- Microsoft Office 2016 (32-bit and 64-bit)
- Microsoft Office 2019 (32-bit and 64-bit)
- Microsoft Office LTSC 2021 (32-bit and 64-bit)
- Microsoft Office LTSC 2024 (32-bit and 64-bit)
- Microsoft 365 Apps for enterprise
### Update build numbers:
- **Office 2016:** 16.0.5539.1001
- **Office 2019:** 16.0.10417.20095
- **Office 2021/2024/M365:** See https://aka.ms/OfficeSecurityReleases
## References
- Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
- KB article: https://support.microsoft.com/help/5002713
- Security update download: https://www.microsoft.com/zh-tw/download/details.aspx?id=108535
- Registry backup guide: https://support.microsoft.com/zh-tw/help/322756
## Disclaimer
This script is provided "as is" without warranty of any kind. Test in a non-production environment first. The registry backup feature helps ensure you can restore changes if needed.
Code generation note: This code was generated with Claude AI.
## Support
If you have questions about this vulnerability, contact Microsoft Support or refer to official guidance from the Microsoft Security Response Center.
## FAQ
### Q: Are updates for Office 2016 and 2019 available now?
A: Yes. As of January 26, 2026, Microsoft has released security updates for Office 2016 and 2019. Customers should ensure these updates are installed to protect against this vulnerability.
### Q: How do I check my installed version?
A:
1. Open any Office app (Word, Excel, etc.)
2. Go to "File" > "Account"
3. Check the version information under "About"
### Q: Do I need to apply the registry mitigation first?
A:
- **Office 2016/2019:** Yes. Apply this mitigation before installing the security update.
- **Office 2021 and later:** No. Already protected.
### Q: Do I still need to install the update after applying the mitigation?
A: Yes. This registry mitigation is temporary. You must install the official security update for full protection.
### Q: Has this vulnerability been publicly disclosed?
A: No, but exploitation has been detected in the wild.
### Q: I use Microsoft 365. Do I need to do anything?
A: Microsoft 365 Apps for enterprise users should ensure the latest updates are installed. Systems configured for automatic updates do not require additional action.
## Troubleshooting
### Error: "This script must be run as administrator"
**Resolution:** Right-click the batch file and select "Run as administrator"
### Error: PowerShell execution policy
**Resolution:** Open PowerShell as administrator and run:
```powershell
Set-ExecutionPolicy Bypass -Scope Process -Force
```
### Office installation not found
**Possible causes:**
- You may have Office 2021 or later installed (mitigation not needed)
- Office installed in a non-standard location
- Using Office Online or the web version
### Registry changes did not take effect
**Resolution:**
1. Confirm the script ran with administrator privileges
2. Restart all Office applications
3. Reboot the computer if needed
## Technical Details
### Blocked COM object
This mitigation blocks the following CLSID:
- `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`
This CLSID is associated with a vulnerable OLE control that attackers can use to bypass Office security features.
### Compatibility flags
The value `0x00000400` (DWORD) instructs Office to block loading this specific COM object, preventing exploitation.
### Impact on normal use
This mitigation should not affect normal Office functionality. If you experience issues, use the Desktop backup file to restore the registry changes.
## Contact and Feedback
If you encounter issues or have suggestions for improvement:
- Review Microsoft official support documentation
- Contact your organization's IT support team
- Refer to the Microsoft Security Response Center website for the latest information