Ref# ADV2026_36 | Date: Jan 30th 2026

---

Microsoft published a security advisory highlighting vulnerabilities in multiple products on January 13th, 2026. It is recommended that you take the necessary precautions by ensuring your products are always updated. 

• Azure Connected Machine Agent 

• Azure Core shared client library for Python 

• Microsoft 365 Apps for Enterprise 

• Microsoft Excel 2016 

• Microsoft Office 2016 

• Microsoft Office 2019 

• Microsoft Office Deployment Tool 

• Microsoft Office LTSC 2021 

• Microsoft Office LTSC 2024 

• Microsoft Office LTSC for Mac 2021 

• Microsoft Office LTSC for Mac 2024 

• Microsoft SQL Server 2022 

• Microsoft SQL Server 2025 

• Microsoft SharePoint Enterprise Server 2016 

• Microsoft SharePoint Server 2019 

• Microsoft SharePoint Server Subscription Edition 

• Microsoft Word 2016 

• Office Online Server 

• Windows 10 

• Windows 11 

• Windows Admin Center in Azure Portal 

• Windows SDK 

• Windows Server 2008 

• Windows Server 2008 R2 

• Windows Server 2012 

• Windows Server 2012 R2 

• Windows Server 2016 

• Windows Server 2019 

• Windows Server 2022 

• Windows Server 2025 

 

Update 1 

Microsoft released an out-of-band security warning on January 26, 2026, to fix the significant vulnerability CVE-2026-21509. 

Additionally, CVE-2026-21509 was added to the Known Exploited Vulnerabilities (KEV) Database by the Cybersecurity and Infrastructure Security Agency (CISA) on January 26, 2026. 

Microsoft has been informed about the exploitation of CVE-2026-20805 and CVE-2026-21509. 

 

For more information on these updates, you can follow these URLs: 

• January 2026 Security Updates 

• Security Update Guide 

• Microsoft Office Security Feature Bypass Vulnerability 

• CISA KEV: CVE-2026-21509 

 

The Guyana National CIRT recommends that users and administrators review these updates and apply them where necessary. 

 

References 

• January 2026 Security Updates. (n.b). Retrieved from Microsoft. https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan 

 

• Security Update Guide. (January 21, 2026). Retrieved from Microsoft. https://msrc.microsoft.com/update-guide/en-us 

 

• Microsoft Office Security Feature Bypass Vulnerability. (January 28, 2026). Retrieved from Microsoft. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 

 

• CISA KEV: CVE-2026-21509. (January 26, 2026). Retrieved from Microsoft. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-21509 

 

• Microsoft security advisory– January 2026 monthly rollup (AV26-024) – Update. (January 27, 2026). Retrieved from Canadian Centre for Cyber Security. https://www.cyber.gc.ca/en/alerts-advisories/microsoft-security-advisory-january-2026-monthly-rollup-av26-024