Microsoft disclosed SmartScreen and Office security feature bypass flaws
Microsoft published advisories for multiple security feature bypass vulnerabilities affecting Windows and Office components, including CVE-2023-36025 in Windows SmartScreen, CVE-2023-36413 in Microsoft Office, CVE-2023-21715 in Microsoft Publisher, and CVE-2026-21514 in Microsoft Word. The flaws were categorized as bypass issues rather than direct remote code execution bugs, indicating attackers could evade built-in protections intended to warn users or restrict unsafe content.
The disclosures show a recurring pattern across Microsoft products in which trust and warning mechanisms can be circumvented, potentially increasing the success of phishing, malicious document delivery, and other social-engineering attacks. Organizations relying on SmartScreen and Office security controls should review the relevant Microsoft Security Update Guide entries for affected products and ensure patches are applied to reduce the risk of users opening files or content that bypass normal safeguards.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft releases advisory for CVE-2026-21514 in Word
Microsoft published security guidance for CVE-2026-21514, a Microsoft Word security feature bypass vulnerability. This reflects the public disclosure of the flaw and Microsoft's associated update information.
Microsoft discloses and patches CVE-2023-36413 in Office
Microsoft published security guidance for CVE-2023-36413, a Microsoft Office security feature bypass vulnerability. The advisory marks the public disclosure and remediation guidance for the issue.
Microsoft discloses and patches CVE-2023-36025 in Windows SmartScreen
Microsoft published security guidance for CVE-2023-36025, a Windows SmartScreen security feature bypass vulnerability. Multiple references point to the same disclosure and patch event on Patch Tuesday.
Microsoft releases advisory for CVE-2023-29335 in Word
Microsoft published security guidance for CVE-2023-29335, a Microsoft Word security feature bypass vulnerability. This marks the public disclosure of the flaw and availability of Microsoft's update information.
Microsoft releases fix for CVE-2023-21715 in Publisher
Microsoft published security guidance for CVE-2023-21715, a Microsoft Publisher security feature bypass vulnerability. This indicates public disclosure and availability of an official update or advisory.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CVE-2026-21514 - Security Update Guide - Microsoft - Microsoft Word Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-36025 - Security Update Guide - Microsoft - Windows SmartScreen Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-36413 - Security Update Guide - Microsoft - Microsoft Office Security Feature Bypass Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2023-36025 - Security Update Guide - Microsoft - Windows SmartScreen Security Feature Bypass Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2023-36025 - Security Update Guide - Microsoft - Windows SmartScreen Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-29335 - Security Update Guide - Microsoft - Microsoft Word Security Feature Bypass Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2023-21715 - Security Update Guide - Microsoft - Microsoft Publisher Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Repeated Windows Mark-of-the-Web and SmartScreen Bypass Flaws
Microsoft has disclosed a sustained series of **security feature bypass** vulnerabilities across Windows and related components, with multiple advisories tied to **Mark of the Web (MotW)**, **SmartScreen**, **MapUrlToZone**, Windows shortcut handling, and security zone mapping. The most detailed recent case, `CVE-2026-32225`, affects **Windows Shell** and allows attackers to bypass SmartScreen protections that rely on MotW by persuading a user to open a specially crafted `.lnk` file. Microsoft said successful exploitation could cause Windows to launch commands or Control Panel applets without proper MotW handling, potentially enabling arbitrary command execution or the loading of attacker-controlled DLLs; the flaw was rated **Important**, assigned a **CVSS 8.8**, marked as **more likely to be exploited**, and fixed at disclosure. The newer Windows Shell issue follows a broader pattern of Microsoft fixes for related bypasses, including `CVE-2022-44698` in **Windows SmartScreen**; `CVE-2023-36564` in **Windows Search**; `CVE-2023-36584`, `CVE-2024-38217`, and `CVE-2024-43487` in **Windows Mark of the Web**; `CVE-2024-30073` in **Windows Security Zone Mapping**; `CVE-2025-21328`, `CVE-2025-21329`, and `CVE-2025-21332` in **MapUrlToZone**; and `CVE-2025-47160` in **Windows Shortcut Files**. Additional bypass advisories affected Microsoft products including **Publisher**, **Office Developer Platform**, **PowerShell**, **Kerberos**, **Windows Hello**, **Surface**, and **PC Manager**, underscoring Microsoft's continued effort to close gaps in trust labeling and execution safeguards that attackers can abuse to reduce warnings and increase the success of social-engineering attacks.
May 25, 2026
Emergency Microsoft Office Update Patches Actively Exploited CVE-2026-21509 OLE Security Bypass
Microsoft released **out-of-band (OOB) security updates** to address an actively exploited Microsoft Office zero-day, **CVE-2026-21509**, described as a **security feature bypass** caused by reliance on untrusted input in a security decision. The flaw impacts **Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise**, and is exploited by sending a user a **malicious Office document** and convincing them to open it; Microsoft stated the **Preview Pane is not an attack vector**. The fix addresses a bypass of **OLE mitigations** intended to protect users from vulnerable **COM/OLE controls**, but Microsoft did not provide public technical details on the in-the-wild exploitation. For **Office 2021 and later / Microsoft 365 Apps**, Microsoft indicated protections may be applied via a **service-side fix** after restarting Office apps, while **Office 2016 and 2019** updates were not yet available at the time of reporting and were promised “as soon as possible.” As interim risk reduction, Microsoft provided mitigations that include a **Windows Registry** change to block vulnerable COM/OLE controls by adding a COM compatibility key and setting a `Compatibility Flags` DWORD value; guidance emphasized backing up the registry and restarting Office applications after applying the mitigation.
Jan 29, 2026
Microsoft Patches Repeated Remote Code Execution Flaws Across Office Apps
Microsoft published a long series of security advisories for **remote code execution** vulnerabilities affecting core Office components, with the largest concentration in **Excel** and **Word**. The disclosures include Excel flaws such as `CVE-2024-49026`, `CVE-2024-49069`, `CVE-2025-21362`, `CVE-2025-21381`, `CVE-2025-21387`, `CVE-2025-24082`, `CVE-2025-62553`, `CVE-2026-26107`, `CVE-2026-26109`, `CVE-2026-26112`, and `CVE-2026-40359`, alongside Word issues including `CVE-2025-24077`, `CVE-2025-24078`, `CVE-2025-47170`, `CVE-2025-49700`, `CVE-2025-59222`, `CVE-2026-23657`, and `CVE-2026-33095`. Microsoft also listed related RCE bugs in **Microsoft Office** (`CVE-2025-21392`), **PowerPoint** (`CVE-2025-54908`), **Inbox COM Objects (Global Memory)** (`CVE-2025-58730`), and the **Visual Studio Code Python Extension** (`CVE-2025-49714`). One of the few entries with technical detail, **`CVE-2026-40359`**, describes an **Important** Excel use-after-free flaw (`CWE-416`) with a **CVSS 3.1 score of 7.8** that can let an attacker execute code if a user opens a malicious Office file. Microsoft said the bug was **not publicly disclosed**, **not exploited in the wild**, and **less likely** to be exploited at the time of publication, adding that the **Preview Pane is not an attack vector** and that a fix is available. Taken together, the advisories show Microsoft continuing to address document-driven code execution risks across Office products, where successful exploitation generally depends on **user interaction with crafted files** rather than direct network exposure.
May 25, 2026