Overview
- Microsoft released out-of-band fixes on January 26 for a high-severity Office vulnerability that is being exploited in the wild.
- The flaw allows attackers to hijack COM/OLE controls via a crafted Office file, defeating protections designed to block malicious component execution.
- Affected products include Microsoft 365 Apps and Office 2016, 2019, LTSC 2021 and LTSC 2024, with a CVSS score of 7.8.
- Office LTSC 2021 and 2024 as well as Microsoft 365 receive server-side updates that take effect after restarting the Office apps.
- Older or unsupported editions require manual action, with Office 2016 receiving KB5002713, volume-licensed Office 2019 needing Version 1808 Build 10417.20095, registry workarounds available, and retail click-to-run 2016/2019 lacking automatic fixes.