CVE-2021-40444

CVE-2021-40444 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.

Key facts

Description

<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p> <p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p> <p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p> <p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>

CVE-2021-40444: Microsoft MSHTML Remote Code Execution via Malicious Office Documents

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-40444
CVSS v2 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS v3 8.8 HIGH — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
CWE CWE-22 (Path Traversal)
EPSS 0.96843 (96.8%) — 99.88th percentile
KEV Yes — Added 2021-11-03
EU Exploited Yes — Since 2021-11-03 (EUVD-2021-27621)
Published 2021-09-15
Assigner [email protected]

Summary

CVE-2021-40444 is a remote code execution (RCE) vulnerability in the Microsoft MSHTML browser rendering engine. Attackers can craft malicious Microsoft Office documents that embed a hostile ActiveX control. When a user opens the document, the control executes in the context of the MSHTML engine, allowing arbitrary code execution. Microsoft confirmed active, targeted exploitation in the wild prior to patch release.

Background

MSHTML (Trident) is the legacy rendering engine underlying Internet Explorer and continues to be loaded by Microsoft Office applications to render web content within documents. Because Office supports embedded ActiveX objects, the attack surface spans both the browser engine and the document format. This vulnerability emerged as a zero-day in late summer 2021 and was rapidly adopted by threat actors in phishing campaigns.

Root Cause

The vulnerability is classified under CWE-22: Path Traversal. The flaw arises from improper handling of file paths within the MSHTML engine when processing ActiveX controls embedded in Office documents. A malicious document can reference an external resource or control via a crafted path, leading to unintended execution of attacker-supplied code in the rendering process. The combination of ActiveX support and insufficient path validation creates a reliable exploitation path.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L describes a HIGH-severity vulnerability with the following characteristics:

  • Attack Vector (AV): Network — Exploitable remotely.
  • Attack Complexity (AC): Low — No special conditions required.
  • Privileges Required (PR): None — No elevated access needed.
  • User Interaction (UI): Required — Victim must open the document.
  • Scope (S): Changed — The vulnerable component (MSHTML) can affect resources beyond its security scope.
  • Impact: Low confidentiality loss, high integrity impact, low availability impact.

The CVSS v2 score of 6.8 reflects medium severity under the older model, but the v3.1 score of 8.8 and confirmed in-the-wild exploitation warrant urgent attention.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive awareness only. No weaponized exploit code is included. Organizations should use this information to improve detection and hardening, not to attack systems without authorization.

  1. Document Preparation: An attacker creates a Microsoft Office document (typically Word) and embeds a malicious ActiveX control.
  2. Social Engineering: The document is delivered via phishing email or other social engineering.
  3. User Action: The victim opens the document. Depending on Office settings, the document may open in Protected View; disabling Protected View or clicking "Enable Editing" enables the attack path.
  4. Control Execution: MSHTML processes the embedded ActiveX control, triggering the path traversal flaw and executing attacker-controlled code.
  5. Post-Exploitation: With code running in the context of the user's session, the attacker can establish persistence, move laterally, or deploy additional payloads.

Affected and Patched Versions

Microsoft released security updates on September 14, 2021. Affected platforms include:

  • Windows 7 SP1
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10 (versions 1507, 1607, 1809, 1909, 2004, 20H2, 21H1)
  • Windows Server 2008 SP2, Server 2008 R2 SP1
  • Windows Server 2012, Server 2012 R2
  • Windows Server 2016, Server 2019, Server 2022
  • Windows Server 20H2, Server 2004

Action: Apply the September 2021 cumulative security updates for your Windows/Office versions.

Remediation

  1. Patch Immediately: Install Microsoft's September 14, 2021 security updates.
  2. Disable ActiveX: Where business requirements allow, disable ActiveX controls in Microsoft Office via Trust Center settings.
  3. Protected View: Ensure Office documents from the internet open in Protected View; do not disable it.
  4. Attack Surface Reduction (ASR): Enable ASR rules that block Office apps from creating child processes or from executing potentially obfuscated scripts.
  5. Application Control: Use Windows Defender Application Control (WDAC) or AppLocker to restrict execution of untrusted binaries.
  6. Macro/ActiveX Policies: Consider blocking ActiveX controls via Group Policy: User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings.

Detection

  • Microsoft Defender for Endpoint: Alerts appear as "Suspicious Cpl File Execution" (detection build 1.349.22.0 or newer).
  • Microsoft Defender Antivirus: Signatures detect known exploit artifacts.
  • Network Monitoring: Watch for Office documents retrieved from untrusted domains followed by unexpected child processes (e.g., control.exe, rundll32.exe).
  • ETW / Sysmon: Monitor for winword.exe or excel.exe spawning suspicious child processes after document open events.
  • Email Gateways: Block or sandbox inbound Office attachments from untrusted senders.

Assessment

  • Threat Context: With an EPSS score of 0.96843 (≈97% probability of exploitation) and inclusion in both CISA KEV and EUVD catalogs, this vulnerability represents a critical, actively exploited threat.
  • Exploitation Prevalence: Widely exploited by multiple threat actors since its disclosure.
  • Lessons Learned:
    1. Legacy components create lasting risk: MSHTML and ActiveX are decades-old technologies that continue to introduce high-impact vulnerabilities.
    2. Patch velocity matters: Organizations that applied the September 2021 updates within days were significantly less exposed than those with slower patch cycles.

References

Frequently asked questions

What is CVE-2021-40444?
<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p> <p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p> <p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p> <p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>
How severe is CVE-2021-40444?
CVE-2021-40444 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
Is CVE-2021-40444 being actively exploited?
Yes. CVE-2021-40444 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-40444?
CVE-2021-40444 primarily affects Microsoft Windows 10 1507. In total, 19 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-40444?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-40444 have an EU (EUVD) identifier?
Yes. CVE-2021-40444 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-27621. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-40444 published?
CVE-2021-40444 was published on 2021-09-15 and last updated on 2026-06-17.

References

Affected products (19)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →