Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2021-40444

MSHTML Remote Code Execution via Malicious Office Document

A remote-code-execution vulnerability in the MSHTML (Trident) browser engine component used by Microsoft Office allows an attacker to execute arbitrary code when a victim opens a specially crafted Office document — exploited in the wild as a zero-day before Microsoft's patch shipped.

cat cve-2021-40444.json
Vendor
Microsoft
Product
Windows MSHTML
CVSS
8.8
Status
kev
Published

CVE-2021-40444 is a remote-code-execution vulnerability in MSHTML, the legacy browser-rendering engine that Windows and Microsoft Office components still use for certain document-rendering tasks. Microsoft disclosed it on September 7, 2021, alongside confirmation that it was already being exploited in the wild as a zero-day, via malicious Office documents that loaded a specially crafted ActiveX control to achieve code execution.

Why it mattered

The attack required only that a victim open a malicious Word document — no macros, no additional prompts beyond normal document handling in many configurations — making it an effective initial-access vector for phishing campaigns. Microsoft’s initial mitigation, published before the full patch, involved disabling ActiveX control installation in Internet Explorer via registry changes, since MSHTML underpinned the vulnerable rendering path even inside Office.

Because a full, tested patch took roughly two weeks after public disclosure, threat intelligence teams observed a window of active exploitation by multiple actors delivering commodity malware loaders through the flaw before most organizations could patch. The vulnerability was added to CISA’s KEV catalog. Full mitigation and patch guidance is in Microsoft’s security advisory and at the NVD link above.