The National Information Technology Development Agency (NITDA) has issued an advisory warning users and organizations in Nigeria about a high-severity zero-day flaw in Microsoft Office.
This is according to the official communication from NITDA, the government agency responsible for regulating and developing information technology in Nigeria.
The alert comes as Microsoft confirms the vulnerability, tracked as CVE-2026-21509, is actively being exploited.
What NITDA said
According to NITDA, the zero-day vulnerability allows attackers to bypass Object Linking and Embedding (OLE) mitigations designed to protect users from malicious code in Microsoft Office.
The flaw carries a CVSS score of 7.8 and requires a victim to open a specially crafted Office document to be exploited
- “The vulnerability is categorized as a security feature bypass that allows attackers to circumvent Object Linking and Embedding (OLE) mitigations designed to protect users from vulnerable COM/OLE controls.
- “Microsoft confirmed that exploitation requires user interaction, specifically convincing a victim to open a specially crafted Microsoft Office document. The Preview Pane is not considered an attack vector. Due to confirmed exploitation, immediate action is strongly advised,” the agency stated.
They noted that successful exploitation could allow attackers to execute malicious code, compromise systems, deliver malware, steal data, or conduct lateral movement within an organization.
Backstory
Last month, Microsoft publicly disclosed the high‑severity zero‑day flaw in its Office suite, after its own security teams detected active exploitation in the wild.
According to reports, within days of the emergency out‑of‑band update being released to fix the flaw, sophisticated threat actors, including Russia‑linked groups such as APT28 (also known as Fancy Bear), were observed weaponising the vulnerability to deliver malware and conduct targeted espionage operations across Europe and other regions.
More insights
Microsoft identified the zero-day flaw affecting multiple Office products, including
- Office 2016 (32-bit and 64-bit)
- Office 2019 (32-bit and 64-bit)
- Microsoft 365 Apps
- Office 2021 and later.
While Office 2021 and newer versions benefit from service-side mitigations, users must restart their applications for the protection to take effect.
- To mitigate the risk, NITDA advised organizations and individuals to immediately install the latest out-of-band security updates for Office 2016 and 2019. Users of Office 2021 and later should restart their applications to enable service-side protections.
They also urged Organizations to educate users about the dangers of opening unsolicited Office documents and implement endpoint protection and email filtering solutions to reduce exposure.
What you should know
NITDA has actively guided Nigerian users and organizations to minimize IT risk exposure.
- Nairametrics reported that the Agency has previously issued advisories to Nigerian users about new vulnerabilities in ChatGPT that could expose users to data-leakage attacks.
- In past alerts, the agency guided WhatsApp users on recovering hacked accounts, securing group chats, and implementing two-step verification to prevent unauthorized access.
The agency also warned Nigerians about vulnerabilities in embedded SIM (eSIM) cards, cards used in smartphones, tablets, wearables and IoT devices.
