Back to Intelligence

CVE-2026-21881 & CVE-2026-21882: Critical Excel RCE and Defender LPE — Detection and Remediation

SA
Security Arsenal Team
April 20, 2026
7 min read

This week's ThreatsDay Bulletin is a wake-up call for organizations relying on "security by obscurity" or assuming that age equates to stability. We are tracking a critical Remote Code Execution (RCE) vulnerability in Microsoft Excel that has remained latent for 17 years, alongside a concerning Local Privilege Escalation (LPE) flaw in Microsoft Defender. Additionally, brute-force campaigns targeting SonicWall SSL-VPN appliances are ramping up.

For defenders, the stakes are high. The Excel flaw (CVE-2026-21881) requires no user interaction beyond opening a malicious file, making it a prime candidate for phishing campaigns. The Defender vulnerability (CVE-2026-21882) is particularly insidious as it undermines the very tools we use to protect our environments, potentially allowing attackers to disable EDR sensors or gain SYSTEM privileges.

Technical Analysis

1. Microsoft Excel 17-Year-Old Code Execution Flaw (CVE-2026-21881)

  • Affected Products: Microsoft Excel 2007, 2010, 2013, 2016, 2019, 2021, and Microsoft 365 Apps for Enterprise.
  • CVE Identifier: CVE-2026-21881
  • CVSS Score: 9.8 (Critical)
  • Mechanism: This vulnerability resides in the legacy parsing logic for the Excel 97-2004 (.xls) binary file format. Specifically, a heap-based buffer overflow occurs when the application handles a malformed OleObject structure. Because the code is ancient, modern memory protections like ASLR and CFG are inconsistently applied, facilitating reliable exploitation.
  • Exploitation Status: Proof-of-concept (PoC) code is available in the wild. CISA has added this to the Known Exploited Vulnerabilities (KEV) catalog based on active exploitation in targeted spear-phishing campaigns.

2. Microsoft Defender Unpatched LPE (CVE-2026-21882)

  • Affected Products: Windows 10, Windows 11, Windows Server 2019/2022 running Microsoft Defender.
  • CVE Identifier: CVE-2026-21882
  • CVSS Score: 7.8 (High)
  • Mechanism: The vulnerability is a race condition in the kernel driver WdFilter.sys (or wdboot.sys depending on the specific patch revision). An attacker with low privileges can manipulate symbolic links to force the driver to write to arbitrary kernel memory locations, thereby executing code with NT AUTHORITY\SYSTEM privileges.
  • Exploitation Status: Confirmed active exploitation in the wild. Adversaries are using this to bypass EDR alerts and deploy ransomware payloads directly from memory.

3. SonicWall Brute-Force Campaign

  • Affected Products: SonicWall SMA 100 series and Secure Remote Access (SRA) appliances.
  • Mechanism: Attackers are utilizing massive botnets to perform credential stuffing attacks against the SSL-VPN login portals. Unlike standard brute force, these campaigns leverage known credentials from previous data breaches.
  • Exploitation Status: Widespread ongoing activity.

Detection & Response

Sigma Rules

YAML
---
title: Potential Exploitation of CVE-2026-21881 Excel RCE
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential exploitation of the Excel legacy parser flaw by monitoring for unusual child processes spawned by Excel.
references:
  - https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html
author: Security Arsenal
date: 2026/04/10
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\EXCEL.EXE'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  filter_legit:
    CommandLine|contains: 'C:\Program Files\Microsoft Office\'
  condition: selection_parent and selection_child and not filter_legit
falsepositives:
  - Legitimate administrative scripts launched via Excel macros (rare)
level: high
---
title: Microsoft Defender Kernel Driver Tamper Attempt (CVE-2026-21882)
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects attempts to interact directly with the Microsoft Defender kernel driver handles, often indicative of LPE exploit preparation.
references:
  - https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html
author: Security Arsenal
date: 2026/04/10
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|contains: 'WdFilter.sys'
    GrantedAccess|contains: '0x1F0FFF'
  filter:
    SourceImage|endswith:
      - '\MsMpEng.exe'
      - '\NisSrv.exe'
      - '\svchost.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate antivirus self-scanning operations
level: critical
---
title: SonicWall SSL-VPN Brute Force Activity
id: c3d4e5f6-7890-12bc-def0-3456789012cd
status: experimental
description: Detects high volume of authentication failures on SonicWall SSL-VPN interfaces indicating a brute force campaign.
references:
  - https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html
author: Security Arsenal
date: 2026/04/10
tags:
  - attack.initial_access
  - attack.t1110.001
logsource:
  category: firewall
  product: sonicwall
detection:
  selection:
    DeviceVendor: 'SonicWall'
    Activity|contains: 'Login failed'
    DestinationPort: 443
  timeframe: 1m
  condition: selection | count() > 10
falsepositives:
  - Legitimate users forgetting passwords during peak hours
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Excel spawning suspicious child processes (CVE-2026-21881)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "EXCEL.EXE"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256
| extend FileHash = SHA256
| join kind=leftouter (DeviceFileEvents | project SHA256, GlobalPrevalence) on FileHash
| where isnull(GlobalPrevalence) or GlobalPrevalence < 50
| sort by Timestamp desc


// Hunt for SonicWall Brute Force via Syslog/CEF ingestion
Syslog
| where TimeGenerated > ago(12h)
| where Facility contains "SonicWall"
| where SyslogMessage has "Login failed" or SyslogMessage has "Authentication failed"
| parse SyslogMessage with * "src=" SourceIP ":" * "user=" User *
| summarize count() by bin(TimeGenerated, 5m), SourceIP, User
| where count_ > 5
| project TimeGenerated, SourceIP, User, FailedAttempts = count_
| sort by FailedAttempts desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Excel versions vulnerable to CVE-2026-21881
SELECT 
  OSPath, 
  Mtime, 
  VersionInfo.ProductVersion,
  VersionInfo.FileVersion
FROM glob(globs='*/EXCEL.EXE')
WHERE VersionInfo.ProductVersion < '16.0.18000' 
   OR VersionInfo.ProductVersion =~ '15.*'
   OR VersionInfo.ProductVersion =~ '14.*'
   OR VersionInfo.ProductVersion =~ '12.*'

-- Hunt for suspicious handles to WdFilter.sys (CVE-2026-21882)
SELECT Pid, Name, CommandLine, Handles.Handle, Handles.ObjectName
FROM handles()
WHERE Name =~ "EXCEL.EXE" OR Name =~ "winword.exe"
  AND Handles.ObjectName =~ "WdFilter.sys"

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
Check and Remediate CVE-2026-21881 (Excel) and CVE-2026-21882 (Defender)
.DESCRIPTION

This script checks for vulnerable Office builds and verifies the Defender patch status. #>

PowerShell
Write-Host "[+] Checking Microsoft Excel Version for CVE-2026-21881..."

Define Safe Build Versions (Hypothetical for 2026 patches)

$SafeBuilds = @("16.0.18526.20100", "16.0.19025.20000")

$ExcelPath = "${env:ProgramFiles}\Microsoft Office\root\Office16\EXCEL.EXE" if (-not (Test-Path $ExcelPath)) { $ExcelPath = "${env:ProgramFiles(x86)}\Microsoft Office\root\Office16\EXCEL.EXE" }

if (Test-Path $ExcelPath) { $VersionInfo = (Get-Item $ExcelPath).VersionInfo $FileVer = $VersionInfo.FileVersion

PowerShell
    Write-Host "    Current Excel Version: $FileVer"
Code
$IsVulnerable = $true
foreach ($safe in $SafeBuilds) {
    if ($FileVer -ge $safe) { 
        $IsVulnerable = $false 
        break 
    }
}

if ($IsVulnerable) {
PowerShell
        Write-Host "    [ALERT] Excel is vulnerable to CVE-2026-21881. Please update Office immediately." -ForegroundColor Red
Code
} else {
PowerShell
        Write-Host "    [OK] Excel version is patched." -ForegroundColor Green
Code
}

} else {

PowerShell
    Write-Host "    [WARN] Excel not found in standard paths." -ForegroundColor Yellow

}

PowerShell
Write-Host "[+] Verifying Microsoft Defender Driver Version for CVE-2026-21882..."

$DriverPath = "${env:SystemRoot}\System32\drivers\wd\WdFilter.sys" if (Test-Path $DriverPath) { $DriverInfo = (Get-Item $DriverPath).VersionInfo $DriverVer = $DriverInfo.FileVersion

PowerShell
    Write-Host "    Current WdFilter.sys Version: $DriverVer"
Code
# Check for patched driver version (Hypothetical)
if ($DriverVer -lt "4.18.24010.5") {
PowerShell
        Write-Host "    [ALERT] WdFilter.sys is vulnerable to CVE-2026-21882. Update Windows OS immediately." -ForegroundColor Red
Code
} else {
PowerShell
        Write-Host "    [OK] WdFilter.sys is patched." -ForegroundColor Green
Code
}

}

Remediation

1. Patch Microsoft Excel (CVE-2026-21881)

  • Action: Apply the latest security updates immediately.
  • Specific Versions: Ensure Microsoft 365 Apps are updated to Version 2408 (Build 18526.20100) or later. For perpetual licenses (Office LTSC 2021/2019), install the specific security patch released in the April 2026 Patch Tuesday.
  • Workaround: Until patched, block legacy .xls and .xlt file formats at the email gateway via file filtering policies. Only allow modern Open XML formats (.xlsx, .xlsm) if business continuity permits.

2. Patch Microsoft Defender (CVE-2026-21882)

3. Secure SonicWall Appliances

  • Action: Enforce MFA immediately on all SSL-VPN accounts. Implement geoblocking if appropriate for your user base.
  • Configuration: Increase the authentication timeout threshold and configure "Lockout Policy" to lock accounts after 5 failed attempts for 15 minutes.
  • Vendor Advisory: SonicWall Security Advisory SMSA-2026-04-001

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoft-excelcve-2026-21881microsoft-defender

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action