Microsoft’s Security Update Guide now lists CVE-2026-40362, a remote code execution (RCE) vulnerability in Microsoft Excel, with the company expressing high confidence in its existence and exploitation potential. The advisory — published as part of the monthly Patch Tuesday cycle — classifies the flaw as “Important” and confirms that the attack vector requires user interaction. Specifically, a victim must open a specially crafted Excel file. Once that file loads, an attacker can execute arbitrary code with the same privileges as the logged-on user, which on far too many workstations means local admin rights.

The public record emphasizes that Microsoft is “aware of limited targeted attacks” but stops short of declaring active exploitation. That careful phrasing often precedes a rapid uptick in attacker activity once reverse engineers dissect the patch. For Windows administrators and security teams, the clock starts now.

Breaking down CVE-2026-40362

Microsoft assigns CVE IDs sequentially, and the 2026 prefix tells us this vulnerability was reserved well ahead of its publication — a sign that the MSRC (Microsoft Security Response Center) treated it as a high-priority case from early in its responsible-disclosure timeline. While the full technical write-up remains light on detail, typical Excel RCE bugs fall into a few buckets: parsing errors in legacy binary formats (XLS), logic bugs in the newer Open XML SDK, or memory corruption flaws that surface when Excel’s calculation engine processes malformed formulas. CVE-2026-40362 appears to fall into the workbook-handling category, meaning the corruption likely occurs while Excel reads the Book or Sheet streams of a BIFF-based document or during deserialization of a modern XLSX package.

What makes this class of bug particularly dangerous is how seamlessly it integrates into everyday business workflows. An accountant receives an “invoice.xls” attachment from what looks like a trusted partner. The file opens, Excel dutifully parses its streams, and shellcode executes — no macro prompt, no Protected View barrier. Even organizations that have disabled VBA macros across the board remain exposed if the payload fires during the initial parsing phase.

How attackers weaponize Excel RCE flaws

Attackers rarely start from scratch. The typical kill chain looks something like this:

  1. Reconnaissance – The adversary identifies targets in finance, legal, or executive roles who regularly open external spreadsheets.
  2. Crafting – Using a fuzzer or a known POC (proof of concept), they tweak a malformed workbook until it triggers controlled memory corruption.
  3. Delivery – The malicious file arrives via spear-phishing email, a compromised SharePoint site, or a rogue OneDrive link.
  4. Exploitation – Upon opening, the workbook hijacks the execution flow. Common shellcode drops a secondary payload like Cobalt Strike or a custom backdoor.
  5. Lateral movement – With a foothold inside the network, the attacker pivots toward domain controllers, file servers, or line-of-business databases.

Because Excel documents are ubiquitous, they rarely raise suspicion. Modern email gateways scan for known malware signatures, but a freshly crafted, zero-day workbook slides right through. Even after a patch is released, organizations that lag on Office updates become permanent targets.

Immediate mitigation steps

Microsoft’s advisory contains several recommendations. The first — and non-negotiable — is to apply the patch. But patches take time to test and deploy across fleets of 10,000 endpoints. In the interim, Windows administrators should implement these controls:

  • Enable Protected View for all files originating from the internet. Group Policy or Intune can enforce this via File Block Settings in the Office Administrative Templates. Files that arrive via email, download, or other untrusted zones will open in a sandboxed read-only mode that severely limits exploit primitives.
  • Enforce Office Macro Security. Although this CVE may not rely on macros, enabling “Block all macros without notification” and “Block macros from running in Office files from the Internet” is still a best practice that reduces the attack surface.
  • Deploy Attack Surface Reduction (ASR) rules. The rule “Block Office applications from creating child processes” (rule ID 92e97fa1-2c2f-4a8b-9e6e-9e4b1a1b0c3f) stops many Excel-based RCE exploits dead in their tracks because the shellcode frequently tries to spawn cmd.exe or powershell.exe. Likewise, “Block Office applications from injecting code into other processes” (rule ID 75668c1f-73b5-4cf0-bb93-3ecf5a4ccb84) breaks the chain before the payload can migrate.
  • Prefer XLSX over XLS. The modern Open XML format is inherently less prone to memory corruption than the legacy binary BIFF format. Where possible, convert templates and shared workbooks to XLSX or XLSM (if macros are needed) and block XLS and XLSB extensions at the email gateway.
  • Isolate risky users. End-users in finance, legal, and HR who must open external attachments should launch Excel inside a hardened virtual machine or a Windows Sandbox session. For larger deployments, Windows 365 Cloud PCs or Azure Virtual Desktop can sandbox the entire Office experience.

Hardening Excel and Office for the long haul

Patching is a short-term fix. Hardening reduces the probability that the next CVE — and there will be a next one — results in a breach. Start with these enterprise hardening steps:

1. Review Trust Center settings via Group Policy

The Office ADMX templates offer fine-grained control. Under Microsoft Excel 2016\Excel Options\Security\Trust Center, set:
- VBA Macro Notification SettingsDisable all without notification
- Load pictures from Web pagesDisabled
- Trust access to the VBA project object modelDisabled
- Automation SecurityUse application macro security level

These changes prevent a whole class of embedded payloads from executing, even if the workbook parsing succeeds.

2. Leverage File Block settings

Excel’s File Block feature can outright refuse to open legacy or web-native formats. Configure:

File Type Setting
Excel 95-2003 Workbooks (*.xls) Open/Save blocked, open in Protected View
Excel 4.0 Worksheets (XLM) Open/Save blocked
Web formats (HTM, HTML, MHT, MHTML) Open/Save blocked

Apply these through Group Policy under Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings. Users get a clear dialog explaining why the file won’t open, and your service desk can whitelist specific paths for legitimate business needs.

3. Adopt Protected View as the default

Modern Office apps already respect the “of internet origin” MOTW (Mark of the Web). Ensure that Group Policy forces Protected View for files downloaded from any source that isn’t a trusted location. This one setting — Turn off Protected View for attachments opened from OutlookDisabled — has prevented countless zero-click exploitation paths.

4. Deploy Exploit Protection

Windows 10 and later include built-in exploit mitigation tech. Use the Exploit Protection section of the Windows Security app or PowerShell to enforce:
- Export Address Filtering (EAF) for Excel.exe
- Import Address Filtering (IAF) for Excel.exe
- Validate heap integrity on process termination
- Randomize memory allocations (bottom-up ASLR)

These settings raise the cost for exploit developers, often turning a reliable RCE into a mere crash.

Patching Excel across the enterprise

For IT admins, the primary objective is to push the update before the reverse-engineering community publishes a weaponized exploit. Microsoft releases Office security updates through several channels:

  • Microsoft Update (Windows Update for consumers and small businesses)
  • Microsoft Endpoint Configuration Manager (SCCM, with the Office 365 client management option)
  • Windows Server Update Services (WSUS)
  • Intune / Microsoft 365 Apps admin center for cloud-managed devices

The specific KB article that contains the fix for CVE-2026-40362 will appear under the monthly Office security update summary. Search for the monthly “Microsoft Office Security Updates” post in the MSRC blog to find the exact KB number. Once identified, administrators should:

  1. Test the patch on a representative subset of workstations, preferably in a ringed deployment.
  2. Pilot the update with users who regularly open external workbooks, as they’ll surface any compatibility issues first.
  3. Broad deploy within seven days of Patch Tuesday. Delaying beyond that window is a significant risk.
  4. Verify installation using the Office version check: open Excel, go to File > Account > About Excel. The build number should match the one listed in the security advisory.

For air-gapped environments, offline update packages are available from the Microsoft Update Catalog. Download the appropriate MSU file for your Office architecture (32-bit or 64-bit) and side-load it via your standard software distribution tool.

The document supply chain: Your next big blind spot

CVE-2026-40362 isn’t just a reminder to patch Excel. It’s a spotlight on the document supply chain — the flow of spreadsheets, PDFs, and other files that cross organizational boundaries daily. In many companies, this supply chain has zero security controls beyond a desktop antivirus that you hope recognizes the malware signature. Attackers understand this.

Consider the following real-world scenario: a law firm receives discovery documents in Excel format from opposing counsel. By the time an attorney opens the file, it has already passed through an email server, an attachment sandbox (if the firm is lucky), and a local endpoint. If the sandbox merely “detonated” the file in a virtual machine and saw no macro activity, it likely released the attachment as benign. That’s why parsing-stage RCEs are so valuable to adversaries — they sidestep the behavioral detections trained on macro-based attacks.

Organizations that handle sensitive documents must add layers:

  • Content Disarm & Reconstruction (CDR): Instead of passing the original workbook to the end user, a CDR platform extracts the data and rebuilds a fresh, safe copy. All metadata, macros, and corrupted structures are stripped.
  • Remote Browser Isolation (RBI): Open Excel Online or a remote instance of Excel in a cloud container, streaming only pixels to the user. Even if the container gets compromised, the attacker never reaches the corporate network.
  • Dynamic file analysis: Advanced email security platforms can open attachments in a bare-metal sandbox with full telemetry, watching for memory corruption indicators like unexpected processes spawning from Excel.

These measures aren’t free, but neither is the average cost of a data breach. In 2023 and 2024, ransomware gangs routinely used Office RCE vectors to gain initial access. CVE-2026-40362, if fully weaponized, could be the next entry door.

Beyond the patch cycle

Microsoft’s shift to the Modern Lifecycle Policy and the subscription-based Microsoft 365 model means patches arrive faster and more frequently. But it also means organizations that cling to Office 2016, Office 2019, or perpetual-license versions of Office LTSC face longer exposure windows. While Microsoft backports security fixes for supported perpetual versions, the engineering lag can be days or weeks. During that gap, attackers know exactly what the vulnerability is because the Microsoft 365 patch has already been reverse-engineered.

If your organization runs anything older than the current Monthly Enterprise Channel of Microsoft 365 Apps, consider accelerating your upgrade timeline. The same goes for anyone still running 32-bit Office on a 64-bit Windows installation. The 32-bit version is more susceptible to memory corruption exploits due to its limited address space and weaker heap protections. Migrating to 64-bit Office is a one-time effort that pays a permanent security dividend.

What to watch for next

In the coming days, expect the following:

  • Technical write-ups from researchers who diff the patched and unpatched Excel binaries. These blog posts will include enough detail to write a weaponized exploit.
  • CISA KEV addition. The U.S. Cybersecurity and Infrastructure Security Agency will likely add CVE-2026-40362 to its Known Exploited Vulnerabilities catalog, triggering binding operational directives for federal agencies to patch within 14 days.
  • Proof-of-concept code appearing on GitHub and exploit-db. Once public, commodity malware families — Emotet, TrickBot, or their successors — will absorb the exploit and push it through their distribution networks.
  • Targeted phishing campaigns that mention recent news about the CVE, tricking IT staff into opening a “patch verification” spreadsheet.

Security teams should tune their email incident response playbooks now. When the first wave of malicious workbooks arrives, you’ll want to identify it within minutes, not days.

Final thoughts

CVE-2026-40362 is a textbook example of why trusting any file — especially one that can execute code during parsing — is dangerous. The patch addresses the immediate vulnerability, but the class of problem remains. Excel is a Turing-complete platform sitting on every desk in the world, and its legacy format support guarantees a long tail of exploitable parsing bugs.

Your action items are clear: patch within a week, switch to 64-bit Office, enable ASR rules, block legacy file formats at the gateway, and start planning for a document supply chain security model that doesn’t implicitly trust every invoice, report, or spreadsheet that lands in your users’ inboxes. Do that, and you’ll be ready for CVE-2026-40362 — and the dozen CVEs that will inevitably follow.