On June 9, 2026, Microsoft published a security advisory for CVE-2026-45485, an information disclosure vulnerability in Microsoft Office. The bug, part of the June Patch Tuesday batch, is confirmed real but comes with an uncomfortable silence: no proof-of-concept, no exploit demo, no technical details on how data might leak. That sparse briefing doesn’t make the threat hypothetical—it makes patching essential before attackers fill in the blanks.

What Microsoft Actually Disclosed

CVE-2026-45485 sits in the Security Update Guide with the unglamorous label “Microsoft Office Information Disclosure Vulnerability.” Microsoft’s advisory mentions a “confidence metric” that indicates the vulnerability’s existence is credible and that the known technical details are reliable—even if they aren’t shared publicly. In other words, Microsoft knows the bug is real, but it’s not giving away a roadmap.

This is classic Patch Tuesday calculus. The company releases enough to signal urgency (the vulnerability is not merely speculated) but withholds specifics to slow down exploit writers. For defenders, it means reading between the lines. The vulnerability can cause confidential information to be exposed, but how? Through a malicious document? A network call? A preview pane? The advisory doesn’t say. That absence forces a broad hardening response.

Why an Office Info Leak Matters Now

Information disclosure bugs rarely make headlines like remote code execution. But in the context of Office—where documents cross email, SharePoint, Teams, and Slack daily—a quiet leak can be a precursor to deeper compromise. An attacker who learns internal file paths, usernames, document metadata, or even cached authentication tokens can craft a more convincing phishing email, map your network, or chain the flaw with another exploit.

Office isn’t just a word processor; it’s a complex parsing engine for dozens of file formats. A malformed .docx, .xlsx, or even a legacy .doc file could trigger the vulnerability. And because Office is deeply integrated with cloud identities, a leak might expose tenant information or collaboration hints. For businesses, that’s not just a confidentiality headache—it’s an invitation for social engineering.

Who Should Pay Attention

Home Users and Small Businesses

If you’re an individual or a small office without dedicated IT, the advice is simple: install Office updates. The flaw doesn’t currently have a working exploit in the wild, but that’s no reason to delay. Go to File > Account > Update Options in any Office app, and hit “Update Now.” If you’ve paused updates, turn them back on. Modern Office versions from the last few years get security fixes through Microsoft Update, so you’re likely already covered, but verify.

Enterprise IT Administrators

For larger orgs, this is a test of patch discipline. You’re not scrambling for a zero-day; you’re closing a known hole. The first step: check your Office inventory. Are all devices on supported channels? Monthly Enterprise? Semi-Annual? Perpetual 2021? Do you have ancient Office 2013 boxes lingering in finance? Identify which builds need the June security patch.

Prioritize machines that routinely open external documents—executives, sales, legal, HR. Then roll out the update through your management stack, whether that’s SCCM, Intune, or third-party tools. But don’t stop at deployment. Verify compliance. That last 5% of unpatched laptops, often off-network, are where risk rots.

Beyond the patch, lean on Office hardening controls you already have (or should deploy): ensure Protected View is enforced for attachments, disable macros for internet-sourced files, use Attack Surface Reduction rules to block Office from launching child processes, and filter attachments with a cloud-based scanner. These layers reduce the likelihood that a malicious file reaches the vulnerable parser.

How We Got Here: Office’s Endless Trust Boundary

Microsoft’s Patch Tuesday rhythm has churned out Office bugs for decades, but the nature of the threat has evolved. Ten years ago, macros were the main delivery vector. Today, attackers weaponize document parsing flaws, template injections, and embedded objects. Information disclosure, often a stepping stone, has become more valuable as environments grow more interconnected.

The confidence metric mentioned by Microsoft isn’t new, but it’s rarely appreciated. It signals that the vendor isn’t guessing; the flaw’s existence is corroborated. For security teams, that’s the green light to act. Compare it to a rumor that never materializes—here, Microsoft has acknowledged the issue. You don’t need a full exploit chain on Twitter to justify patching.

Historically, Office information disclosure bugs have ranged from benign metadata leaks (like revealing document author names) to more sinister issues that expose memory contents or network paths. Without specifics on CVE-2026-45485, assume the potential impact is higher than the lack of attention would suggest. The Edward Snowden-era leaks taught us that “metadata” alone can be a goldmine. The same principle applies: anything Office inadvertently shares can be exploited.

What to Do Right Now: A Checklist

If you’re a home user:
- Open Word, Excel, or any Office app. Click File > Account > Update Options > Update Now.
- Ensure Windows Update is also running. Some Office patches arrive through Windows Update if you’re using Microsoft 365.
- Be wary of unexpected Office files from unknown senders—even in preview or protected mode.

If you’re an IT admin:
- Confirm which Office versions are in your environment. Target Microsoft 365 Apps (Current Channel, Monthly Enterprise, Semi-Annual), Office 2021, Office 2019, and any supported perpetual versions.
- Deploy the June 2026 security update to these builds. Microsoft typically releases patches for multiple Office versions simultaneously.
- For devices that can’t be patched immediately, apply compensating controls: restrict documents from opening in full edit mode, disable macros, and isolate those devices from external file sharing temporarily.
- Review Office update channels. Some machines may have fallen behind due to configuration drift. Use tools like the Microsoft 365 Apps admin center or Configuration Manager to enforce correct channel settings.
- Check for legacy Office installs (2013, 2010) that might still be running for compatibility reasons. These will not receive a patch. Isolate them from untrusted content or accelerate decommissioning.

What not to do:
- Don’t wait for a public exploit to surface. The lack of one today doesn’t guarantee safety tomorrow.
- Don’t disable Office update because the advisory seems vague. That’s exactly when updates matter most.

Outlook: The Silent Patch Cycle

CVE-2026-45485 will likely fade from headlines, but it’s a bellwether for how vendors and defenders handle low-detail, high-confidence bugs. Expect more advisories like this, especially as Microsoft’s security research expands and coordinated disclosure norms prioritize patching over publicity. The real story isn’t just this bug—it’s whether organizations can maintain update hygiene when the alarm bells aren’t ringing. The patch is out. The data is not. That should be enough to push “Update Now.”