CVE-2021-40444
CVE-2021-40444 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 97% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-27621
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p> <p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p> <p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p> <p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>
CVE-2021-40444: Microsoft MSHTML Remote Code Execution via Malicious Office Documents
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-40444 |
| CVSS v2 | 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
| CVSS v3 | 8.8 HIGH — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L |
| CWE | CWE-22 (Path Traversal) |
| EPSS | 0.96843 (96.8%) — 99.88th percentile |
| KEV | Yes — Added 2021-11-03 |
| EU Exploited | Yes — Since 2021-11-03 (EUVD-2021-27621) |
| Published | 2021-09-15 |
| Assigner | [email protected] |
Summary
CVE-2021-40444 is a remote code execution (RCE) vulnerability in the Microsoft MSHTML browser rendering engine. Attackers can craft malicious Microsoft Office documents that embed a hostile ActiveX control. When a user opens the document, the control executes in the context of the MSHTML engine, allowing arbitrary code execution. Microsoft confirmed active, targeted exploitation in the wild prior to patch release.
Background
MSHTML (Trident) is the legacy rendering engine underlying Internet Explorer and continues to be loaded by Microsoft Office applications to render web content within documents. Because Office supports embedded ActiveX objects, the attack surface spans both the browser engine and the document format. This vulnerability emerged as a zero-day in late summer 2021 and was rapidly adopted by threat actors in phishing campaigns.
Root Cause
The vulnerability is classified under CWE-22: Path Traversal. The flaw arises from improper handling of file paths within the MSHTML engine when processing ActiveX controls embedded in Office documents. A malicious document can reference an external resource or control via a crafted path, leading to unintended execution of attacker-supplied code in the rendering process. The combination of ActiveX support and insufficient path validation creates a reliable exploitation path.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L describes a HIGH-severity vulnerability with the following characteristics:
- Attack Vector (AV): Network — Exploitable remotely.
- Attack Complexity (AC): Low — No special conditions required.
- Privileges Required (PR): None — No elevated access needed.
- User Interaction (UI): Required — Victim must open the document.
- Scope (S): Changed — The vulnerable component (MSHTML) can affect resources beyond its security scope.
- Impact: Low confidentiality loss, high integrity impact, low availability impact.
The CVSS v2 score of 6.8 reflects medium severity under the older model, but the v3.1 score of 8.8 and confirmed in-the-wild exploitation warrant urgent attention.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. No weaponized exploit code is included. Organizations should use this information to improve detection and hardening, not to attack systems without authorization.
- Document Preparation: An attacker creates a Microsoft Office document (typically Word) and embeds a malicious ActiveX control.
- Social Engineering: The document is delivered via phishing email or other social engineering.
- User Action: The victim opens the document. Depending on Office settings, the document may open in Protected View; disabling Protected View or clicking "Enable Editing" enables the attack path.
- Control Execution: MSHTML processes the embedded ActiveX control, triggering the path traversal flaw and executing attacker-controlled code.
- Post-Exploitation: With code running in the context of the user's session, the attacker can establish persistence, move laterally, or deploy additional payloads.
Affected and Patched Versions
Microsoft released security updates on September 14, 2021. Affected platforms include:
- Windows 7 SP1
- Windows 8.1
- Windows RT 8.1
- Windows 10 (versions 1507, 1607, 1809, 1909, 2004, 20H2, 21H1)
- Windows Server 2008 SP2, Server 2008 R2 SP1
- Windows Server 2012, Server 2012 R2
- Windows Server 2016, Server 2019, Server 2022
- Windows Server 20H2, Server 2004
Action: Apply the September 2021 cumulative security updates for your Windows/Office versions.
Remediation
- Patch Immediately: Install Microsoft's September 14, 2021 security updates.
- Disable ActiveX: Where business requirements allow, disable ActiveX controls in Microsoft Office via Trust Center settings.
- Protected View: Ensure Office documents from the internet open in Protected View; do not disable it.
- Attack Surface Reduction (ASR): Enable ASR rules that block Office apps from creating child processes or from executing potentially obfuscated scripts.
- Application Control: Use Windows Defender Application Control (WDAC) or AppLocker to restrict execution of untrusted binaries.
- Macro/ActiveX Policies: Consider blocking ActiveX controls via Group Policy:
User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings.
Detection
- Microsoft Defender for Endpoint: Alerts appear as "Suspicious Cpl File Execution" (detection build 1.349.22.0 or newer).
- Microsoft Defender Antivirus: Signatures detect known exploit artifacts.
- Network Monitoring: Watch for Office documents retrieved from untrusted domains followed by unexpected child processes (e.g.,
control.exe,rundll32.exe). - ETW / Sysmon: Monitor for
winword.exeorexcel.exespawning suspicious child processes after document open events. - Email Gateways: Block or sandbox inbound Office attachments from untrusted senders.
Assessment
- Threat Context: With an EPSS score of 0.96843 (≈97% probability of exploitation) and inclusion in both CISA KEV and EUVD catalogs, this vulnerability represents a critical, actively exploited threat.
- Exploitation Prevalence: Widely exploited by multiple threat actors since its disclosure.
- Lessons Learned:
- Legacy components create lasting risk: MSHTML and ActiveX are decades-old technologies that continue to introduce high-impact vulnerabilities.
- Patch velocity matters: Organizations that applied the September 2021 updates within days were significantly less exposed than those with slower patch cycles.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40444
- http://packetstormsecurity.com/files/164210/Microsoft-Windows-MSHTML-Overview.html
- http://packetstormsecurity.com/files/165214/Microsoft-Office-Word-MSHTML-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167317/Microsoft-Office-MSDT-Follina-Proof-Of-Concept.html
Frequently asked questions
- What is CVE-2021-40444?
- <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p> <p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p> <p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p> <p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>
- How severe is CVE-2021-40444?
- CVE-2021-40444 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
- Is CVE-2021-40444 being actively exploited?
- Yes. CVE-2021-40444 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-40444?
- CVE-2021-40444 primarily affects Microsoft Windows 10 1507. In total, 19 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-40444?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-40444 have an EU (EUVD) identifier?
- Yes. CVE-2021-40444 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-27621. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-40444 published?
- CVE-2021-40444 was published on 2021-09-15 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/164210/Microsoft-Windows-MSHTML-Overview.html
- http://packetstormsecurity.com/files/165214/Microsoft-Office-Word-MSHTML-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167317/Microsoft-Office-MSDT-Follina-Proof-Of-Concept.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40444
Affected products (19)
- cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1909:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_2004:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:-:r2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…
All CVEs affecting Microsoft Windows 10 1507 →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…