Microsoft MSHTML Remote Code Execution Vulnerability Threat Intel Advisory


Researchers detected the vulnerability CVE-2021-40444 that targets a remote code execution flaw in MSHTML used to render web content inside Office documents
Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution
CVE id CVE-2021-40444
CVSS:3.0 Score 8.8
Reference * #

Executive Summary

  • Microsoft Mandiant, and Expmon researchers have detected a vulnerability, tracked as CVE-2021-40444, that targets a remote code execution flaw in MSHTML, used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents.
  • The zero-day vulnerability is actively exploited by threat actors and Office users are targeted through client-side attack vectors.
  • Microsoft has updated Windows Defender Antivirus and Windows Defender for Endpoints to defend against this vulnerability.
  • Assets can be protected against the attack by following the guidelines recorded in the Impact & Mitigation section of this advisory.


Trident, popularly known as the MSHTML, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which has a remote code execution vulnerability (CVE-2021-40444) that attackers are increasingly exploiting to gain code execution on targeted systems. At present, Microsoft has not disclosed the technical details of the vulnerability.
  • Threat actors craft a malicious ActiveX control which is then used in Office documents that host MSHTML.
  • The logical flaw in MSHTML is triggered when the user opens the malicious document.
  • However, Protected View/ Application Guard in Microsoft Office applications is capable of defending against these targeted attacks.
  • Microsoft has updated Defender for Endpoints, to flag such attacks with an alert that reads “Suspicious Cpl File Execution.”
  • Microsoft has not released a patch for this zero-day vulnerability, but TTPs (Techniques tactics and procedures) for this vulnerability have been updated in Windows Defender.
  • Additionally, an official Microsoft advisory that includes a workaround has been included in the following section.

Impact & Mitigation

Impact Mitigation
  • Remote code execution allows the attackers to take control of the target system.
  • Initial access to a corporate endpoint may potentially enable lateral movements in the internal network.
  • Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.

Indicators of Compromise

IP/ Domain hidusi[.]com
Hashes D0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745

Table of Contents

Request an easy and customized demo for free