CVE-2021-40444 Explained: The MSHTML Remote Code Execution Vulnerability
A CVSS 8.8 zero-day in the Windows MSHTML rendering engine that allows RCE through a malicious Office document, no macro prompts, no Enable Content click, no warning dialogs.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2021-40444 is a remote code execution vulnerability in the Microsoft MSHTML engine, the Trident rendering engine built into Windows and used by Internet Explorer, as well as embedded within Microsoft Office for rendering HTML content in documents. The vulnerability was patched on September 14, 2021, but was already being exploited in targeted attacks before Microsoft published its advisory.
What made CVE-2021-40444 particularly notable is its exploitation method: a malicious Office document that achieves code execution without using macros, without triggering Enable Content prompts, and without displaying any security warning dialogs that a user would need to dismiss. For organizations whose security awareness training focuses on macro warnings, this vulnerability represents a blind spot.
How MSHTML Is Abused: ActiveX Without the Warnings
Microsoft Office applications, Word, Excel, PowerPoint, use the MSHTML (Trident) rendering engine to display HTML content embedded in documents. This includes HTML-formatted emails rendered in Word, HTML-based document content, and documents with embedded web content using ActiveX controls.
CVE-2021-40444 exploits this rendering path. A malicious Word document contains an embedded ActiveX control object whose relationship file points to a remote URL, typically hosted on attacker infrastructure or a compromised legitimate site. When the document is opened, Word automatically invokes MSHTML to render the ActiveX content, and MSHTML fetches the remote resource.
The attacker's server responds with a specially crafted CAB archive. MSHTML processes the CAB file and extracts its contents. The CAB contains a malicious DLL. MSHTML loads and executes the DLL in the context of the Office process, with the privileges of the current user.
No macro execution occurs at any stage of this chain. The document does not use VBA, XLM, or any other macro language. The Enable Content button, which security awareness training teaches users to recognize as a danger signal, is never shown. In Protected View configurations, the attack may require the user to click Enable Editing, but that prompt is significantly less alarming than the macro warning.
All supported versions of Microsoft Windows are affected. The vulnerability is in the MSHTML component itself, not in Office specifically, meaning other applications that host MSHTML rendering are also potential attack surfaces.
Create malicious Office document
Craft a Word or Office document containing an embedded ActiveX object reference. The object's relationship file (in the document's XML structure) points to an attacker-controlled URL that will serve a malicious payload.
Host payload on attacker infrastructure
Set up an HTTP server to respond to document-originated requests with a specially crafted CAB archive containing a malicious DLL. The URL may be hosted directly or through a compromised legitimate web property to evade reputation-based blocking.
Deliver document to victim
Send the document as an email attachment, share via file hosting service, or deliver through any channel that results in the victim opening it. Social engineering typically frames the document as a contract, invoice, or legitimate business communication.
Document opens, MSHTML fetches payload
When the victim opens the document, Office invokes MSHTML to render the ActiveX content. MSHTML automatically fetches the attacker's URL, no user click required beyond opening the document.
CAB extracted, DLL executed
MSHTML processes the fetched CAB archive, extracts the DLL, and loads it in the Office process context. The DLL executes with the victim's user privileges, dropping additional payloads, establishing C2 communication, or performing immediate post-exploitation actions.
CVE-2021-40444 in Active Exploitation
Microsoft's Security Threat Intelligence Center (MSTIC) confirmed that CVE-2021-40444 was under active targeted exploitation before the September 14, 2021 patch. Initial exploitation was attributed to multiple threat actors, suggesting the vulnerability was either independently discovered by multiple groups or shared within closed threat actor communities.
Observed attacks delivered malicious Word documents via phishing emails. The documents were often themed as legal communications, contracts, or business correspondence, document types that recipients commonly open without heightened suspicion. The payloads observed included Cobalt Strike beacons and commodity remote access tools.
Following public disclosure and publication of proof-of-concept code, exploitation expanded beyond initial targeted campaigns to include commodity threat actors. The combination of broad Windows exposure, no macro requirement, and reliable execution made CVE-2021-40444 a high-demand exploit in the period between advisory publication and patch availability.
Microsoft published a temporary workaround, disabling ActiveX controls in Office applications via Group Policy and registry changes, before the full patch was available. Organizations that implemented the workaround quickly were protected; those that waited for Patch Tuesday were exposed for an additional week.
“We are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.”
Microsoft Security Response Center, CVE-2021-40444 Advisory
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Mitigating CVE-2021-40444
The complete patch was released September 14, 2021 via Windows Update. Organizations with delayed patching cycles should apply the patch immediately and consider the following defense-in-depth measures.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2021-40444 closes a gap that security awareness training cannot address: a document that achieves code execution without using macros and without displaying recognizable warning prompts. Training users to avoid clicking Enable Content protects against macro attacks. It does not protect against MSHTML-based ActiveX exploitation in Word documents.
This is why defense-in-depth below the user layer matters. Blocking Office processes from making outbound network connections, disabling ActiveX at the GPO level, and deploying AMSI-capable endpoint protection are controls that operate regardless of user behavior. They do not rely on users recognizing a threat that looks like a normal business document.
MSHTML is a legacy component that carries decades of attack surface. The Trident engine has been the site of numerous critical vulnerabilities over its history. Organizations should evaluate whether any legitimate business processes still require MSHTML-based ActiveX functionality in Office, and if not, disable it permanently as a policy decision, not just a CVE response.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2021-40444 and why is it dangerous?
CVE-2021-40444 is a CVSS 8.8 remote code execution vulnerability in the Windows MSHTML rendering engine. A malicious Office document containing an embedded ActiveX reference silently causes MSHTML to download and execute a DLL from an attacker-controlled server. No macros are used and no Enable Content prompt appears, bypassing the security awareness training most organizations rely on.
How do I fix CVE-2021-40444?
Apply the September 14, 2021 cumulative Windows security update for all supported Windows versions. As defense-in-depth, disable ActiveX controls in Office via Group Policy, enable Protected View for documents from external sources, and block outbound HTTP/HTTPS connections from Office processes (winword.exe, excel.exe) using endpoint security rules.
Can CVE-2021-40444 be exploited through email?
Yes. The most common delivery method observed in the wild was email attachments, Word or Office documents framed as contracts, invoices, or business communications. When the recipient opens the attachment, MSHTML automatically fetches the attacker payload without any additional user interaction beyond opening the file.
Can disabling ActiveX prevent CVE-2021-40444?
Yes. Disabling all ActiveX controls in Office via Group Policy is an effective mitigation because CVE-2021-40444 exploits the ActiveX object loading path in MSHTML. Apply the GPO setting: User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings > Disable All ActiveX. This breaks the primary exploit chain and should be applied as baseline security policy regardless of CVE-2021-40444 patch status. Microsoft's temporary workaround before the September 2021 patch used this exact registry-based ActiveX block.
Does Protected View protect against CVE-2021-40444?
Protected View provides limited protection. If the document arrives from email or the internet and Protected View is enabled, the user must click Enable Editing before Word renders the embedded ActiveX content. This adds a user interaction step that may interrupt the exploit chain for some users. However, Protected View is often disabled by GPO exception for certain file types or network locations, and some Office configurations render documents without Protected View even from external sources. The June 2021 patch is the complete fix; Protected View is only a partial mitigation.
Was CVE-2021-40444 exploited by nation-state actors?
Yes. Microsoft's Security Threat Intelligence Center confirmed targeted exploitation before the September 14, 2021 patch by multiple threat actor groups. The sophistication of the initial exploitation artifacts, custom CAB-packaged DLL payloads and Cobalt Strike beacon deployment, suggested nation-state actor capability. Post-disclosure exploitation expanded to commodity threat actors deploying remote access tools via weaponized Office documents. The zero-day targeting was consistent with a threat actor who either purchased or independently discovered the vulnerability for intelligence collection prior to its public disclosure.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
