Cyber Resilience

CVE-2021-40444

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 15 September 2021

Published
15 September 2021
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
EPSS Score 0.9684 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2021-40444 is a high-severity Path Traversal (CWE-22) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2021-40444 is a remote code execution vulnerability in the MSHTML browser rendering engine component of Microsoft Windows. It is triggered when a Microsoft Office document hosts a malicious ActiveX control, allowing an attacker to execute arbitrary code on the target system. The flaw received a CVSS v3.1 score of 8.8 and is associated with CWE-22.

An attacker can exploit the issue by crafting a specially formed Office document and convincing a user to open it, resulting in code execution in the context of the current user. Targeted attacks leveraging this vector were observed in the wild prior to patch availability, with lower-privileged accounts experiencing reduced impact.

Microsoft released security updates on 14 September 2021 to address the vulnerability and recommends immediate installation. Microsoft Defender Antivirus (build 1.349.22.0 or newer) and Microsoft Defender for Endpoint provide detection, surfacing alerts such as “Suspicious Cpl File Execution”; customers using automatic updates receive protection without further action.

Public proof-of-concept material and technical overviews have appeared on sites such as PacketStorm, confirming active researcher interest following disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious…

more

ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p> <p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p> <p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p> <p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>

CWE(s)
KEV Date Added
03 November 2021

Related Threats

CVEs Like This One

CVE-2021-1675Same product: Microsoft Windows 10 1507both on KEV
CVE-2022-30190Same product: Microsoft Windows 10 1507both on KEV
CVE-2021-34527Same product: Microsoft Windows 10 1507both on KEV
CVE-2021-27065Same vendor: Microsoftboth on KEV
CVE-2025-24985Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24991Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24054Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-26633Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24993Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-59230Same product: Microsoft Windows 10 1507both on KEV

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19060
microsoft
windows 10 1607
≤ 10.0.14393.4651
microsoft
windows 10 1809
≤ 10.0.17763.2183
microsoft
windows 10 1909
≤ 10.0.18363.1801
microsoft
windows 10 2004
≤ 10.0.19041.1237
microsoft
windows 10 20h2
≤ 10.0.19042.1237
microsoft
windows 10 21h1
≤ 10.0.19043.1237
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly implements the Microsoft Defender Antivirus signatures (build 1.349.22.0+) that detect and block the malicious ActiveX control in Office documents for this CVE.

prevent

Requires prompt installation of the 14 September 2021 security update that patches the MSHTML remote-code-execution flaw before exploitation can succeed.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and implementation guidance for mobile code technologies such as ActiveX controls hosted inside Office documents, blocking the attack vector used by CVE-2021-40444.

References