What happened
APT28 (aka Fancy Bear, UAC-0001) began exploiting CVE-2026-21509—a security feature bypass in Microsoft Office—on January 27, one day after Microsoft disclosed it. Ukraine's CERT-UA detected the first weaponized document that day: file metadata on "Consultation_Topics_Ukraine(Final).doc" shows creation on January 27, targeting EU discussions about Ukraine.
The same day, Ukrainian government bodies received 60+ phishing emails disguised as weather service correspondence. Opening the malicious DOC files triggers a WebDAV connection to download shortcut files, which then drop DLLs, establish COM hijacking persistence, and deploy the COVENANT post-exploitation framework. By January 29-31, CERT-UA identified three more malicious documents targeting EU member states, with attack infrastructure registered same-day.
Why this matters
The 24-hour weaponization window suggests APT28 had exploit chains ready before public disclosure—a pattern that complicates patch deployment timelines. Microsoft issued emergency patches January 26-27 for Office 2016/2019/LTSC 2021/2024/M365 Enterprise (CVSS 7.8). CISA added CVE-2026-21509 to its Known Exploited Vulnerabilities catalog with a February 16 deadline for US federal agencies.
This is the 24th actively exploited Microsoft zero-day in 2025 according to Tenable—out of 41 total. The vulnerability bypasses OLE mitigations by requiring users to open crafted files (preview pane remains safe). Legacy Office versions need registry mitigations: administrators should set a DWORD 400 value in the COM Compatibility key. Office 2021+ requires application restarts post-patch.
The enterprise angle
CERT-UA warns patch deployment inertia will fuel continued exploitation. The attackers route traffic through legitimate cloud storage (Filen) to evade detection—defenders should monitor or block accordingly. APT28's use of scheduled tasks for persistence and DLL side-loading techniques requires hunting beyond signature-based detection.
For context: CVE-2026-21509 differs from CVE-2026-20805 (another Office flaw patched January 26) in exploitation method—21509 specifically targets OLE bypass via WebDAV, while 20805 involved different attack vectors. Organizations running older Office builds should prioritize this patch; Microsoft initially left legacy versions unpatched before reversing course.
History suggests: Russian state actors consistently weaponize Office vulnerabilities faster than enterprise patch cycles allow. The trade-off between stability testing and threat exposure just got steeper.