⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2021-11-17.

CVE-2021-40444

CWE-22Path Traversal46 documents18 sources
Severity
7.8HIGH
EPSS
94.3%
top 0.05%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
35
Microsoft Windows 10 Version 1507Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809+32 more
Timeline
PublishedSep 15
KEV addedNov 3
KEV dueNov 17
Latest updateJun 27
CISA Required Action: Apply updates per vendor instructions.

Description

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are con

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:LExploitability: 2.8 | Impact: 5.3

Affected Packages33 packages

CVEListV5microsoft/windows_server_2012_(server_core_installation)6.2.06.2.9200.23462+1
CVEListV5microsoft/windows_server_2016_(server_core_installation)10.0.010.0.14393.4651
CVEListV5microsoft/windows_server_2019_(server_core_installation)10.0.010.0.17763.2183

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

5
Project0
2022 0-day In-the-Wild Exploitation…so far - Project Zero2022-06-01
GHSA
GHSA-2h32-fhf6-xhh5: Microsoft MSHTML Remote Code Execution Vulnerability2022-05-24
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
CVEList
Microsoft MSHTML Remote Code Execution Vulnerability2021-09-15
VulnCheck
Microsoft MSHTML Remote Code Execution Vulnerability2021

📋Vendor Advisories

2
CISA
Microsoft MSHTML Remote Code Execution Vulnerability2021-11-03
Microsoft
Microsoft MSHTML Remote Code Execution Vulnerability2021-09-14

🕵️Threat Intelligence

35
Fortinet
MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems | FortiGuard Labs2024-06-27
Fortinet
LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros | FortiGuard Labs2023-07-12
Elastic
FORMBOOK Adopts CAB-less Approach — Elastic Security Labs2022-06-07
Elastic
FORMBOOK Adopts CAB-less Approach — Elastic Security Labs2022-06-07
Securelist
IT threat evolution Q3 20212021-11-26
CVE-2021-40444 (HIGH CVSS 7.8) | Microsoft is investigating reports | cvebase.io