Microsoft MSHTML Remote Code Execution Vulnerability Threat Intel Advisory

Researchers detected the vulnerability CVE-2021-40444 that targets a remote code execution flaw in MSHTML used to render web content inside Office documents
Updated on
April 19, 2023
Published on
September 9, 2021
Subscribe to the latest industry news, threats and resources.
Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution
CVE id CVE-2021-40444
CVSS:3.0 Score 8.8
Reference * #

Executive Summary

  • Microsoft Mandiant, and Expmon researchers have detected a vulnerability, tracked as CVE-2021-40444, that targets a remote code execution flaw in MSHTML, used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents.
  • The zero-day vulnerability is actively exploited by threat actors and Office users are targeted through client-side attack vectors.
  • Microsoft has updated Windows Defender Antivirus and Windows Defender for Endpoints to defend against this vulnerability.
  • Assets can be protected against the attack by following the guidelines recorded in the Impact & Mitigation section of this advisory.


Trident, popularly known as the MSHTML, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which has a remote code execution vulnerability (CVE-2021-40444) that attackers are increasingly exploiting to gain code execution on targeted systems. At present, Microsoft has not disclosed the technical details of the vulnerability.
  • Threat actors craft a malicious ActiveX control which is then used in Office documents that host MSHTML.
  • The logical flaw in MSHTML is triggered when the user opens the malicious document.
  • However, Protected View/ Application Guard in Microsoft Office applications is capable of defending against these targeted attacks.
  • Microsoft has updated Defender for Endpoints, to flag such attacks with an alert that reads “Suspicious Cpl File Execution.”
  • Microsoft has not released a patch for this zero-day vulnerability, but TTPs (Techniques tactics and procedures) for this vulnerability have been updated in Windows Defender.
  • Additionally, an official Microsoft advisory that includes a workaround has been included in the following section.

Impact & Mitigation

Impact Mitigation
  • Remote code execution allows the attackers to take control of the target system.
  • Initial access to a corporate endpoint may potentially enable lateral movements in the internal network.
  • Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.

Indicators of Compromise

IP/ Domain hidusi[.]com
Hashes D0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations