Priority: Critical

Executive Summary:

Microsoft has reported a zero-day vulnerability in MSHTML affecting Microsoft Windows, targeting users to download a malicious Microsoft Office document. A proof-of-concept has been released to the public with Microsoft advising administrators to enforce a workaround until an official Microsoft patch is released. This is being tracked as CVE-2021-40444. The vulnerability is being leveraged by unauthenticated attackers to execute remote code on targeted systems.


Attackers are crafting a malicious ActiveX control to be used by a Microsoft Office document, potentially attached by a phishing email, to trick users to open the malicious document that hosts the browser rendering engine.

Microsoft Office manages and opens documents received from the internet in Protected View or through Application Guard by default, which in turn, prevents the attack. Users who exit Protected View can be compromised by opening the document. 

A published proof-of-concept is in the wild to exploit this vulnerability however, mitigations and workarounds are available from Microsoft pending the release of a patch.

Affected Products:

All Microsoft Windows users are affected however, accounts with fewer user rights configured are less impacted than accounts who operate with full administrative user rights.


Microsoft recommends implementing a workaround since the exploit is publicly disclosed.

The workaround disables the installation of ActiveX controls in Internet Explorer. The workaround will not impact the performance of previously-installed ActiveX controls. Details on how to disable the workaround once the vulnerability has been patched are also include.

Full details can be found here.


Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should still keep antimalware products up to date.

Customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

It is recommended that customers carry out regular security awareness training for all users across their estate to educate on how to detect phishing emails and maintain resiliency against future threats.