Advisory September 8, 2021

Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)

Obrela SOC

(Updated: 15 Sept 2021)

Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows resulting from the malicious usage of Microsoft Office files. This vulnerability is exploitable with fairly low complexity and no privileges required, allowing a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild.


Given the return from Summer holidays, it is expected that you may have several documents for review on your Inbox. It is strongly advised not to open any Microsoft Office files from untrusted senders.

Upon successfully exploiting the system with crafted Office files using Malicious ActiveX controls, attackers will typically gain access to the system with user rights. Users with fewer or “just enough” rights could be less impacted compared to administrative privileges. Applying the principle of least privilege is the key in avoiding a mass spread compromise inside the organization.

For administrators

Although by default, Microsoft Office opens documents from the internet in Protected View, users may be tricked to bypass it and edit the malicious files. Since there is no official patch available at the moment, it is advised to mitigate the attack it is advised to disable the installation of all ActiveX controls in Internet Explorer through an addition of configuration in the registry. For the complete recommended registry edit, please consult Microsoft’s advisory in this link.

Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.


Microsoft has released security updates for all affected versions of Windows to address this vulnerability. These updates include Monthly Rollups, Security Only, and IE Cumulative updates.

Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates.

Customers running Windows 7, Windows Server 2008 R2, or Windows Server 2008:

  • The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update.
  • Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability.

CVE-2021-40444 Details

Note: This article was updated on 15 September 2021 to add remediation measures released by Microsoft.