NA

CVE-2021-40444

Published: 15/09/2021 Updated: 20/09/2021

Vulnerability Summary

Microsoft Windows MSHTML Remote Code Execution Vulnerability. Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Github Repositories

CVE-2021-40444 CVE-2021-40444 POC -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu0enjPUx4R0+zWyY4FEI 0LUeiAJecPz6iDPdMRiIQHBPZBxKH7A+losAu7DB9IoY1GnGvFJzA1G4UkK6n/rg 2r65Ym3SloHoov/IxC2qcyz1UBftD0HBR8KE9Yy84k1sYIdNzKeWPQETY9UqEEy/ 1EPQ29H78JhEVCGZwntnHOzzAna6RYtmzm2JM5NGqOBwK7rkNVmmWXyCsbGy6aki 4mD+2gn3pYtAg6iSrvClT5cyKvUpyPx07+YdHbhGxlQ8DJ7UsoUiuI6lRbB

cve-2021-40444 Reverse engineering the "A Letter Before Court 4docx" malicious files exploting cve-2021-40444

MSHTMHell: Malicious document builder for CVE-2021-40444

MSHTHell: Malicious document builder for CVE-2021-40444

CVE-2021-40444 builders This repo contain builders of cab file, html file, and docx file for CVE-2021-40444 exploit This repo is just for testing, research and educational purposes You are responsible for how you use the code provided in this repo The builders for this CVE are already public The purpose of this repo is to check how effectively we can bypass static detection

CVE-2021-40444 Reproduce steps for CVE-2021-40444 Generating docx Go to maldoc/word/_rels/documentxmlrels and edit the two ocurrences for <HOST> with the URL to the exploithtml Eg: 127001/exploithtml file Generate docx: cd maldoc/ ; zip -r maldocdocx * Generating malicious cab #include <windowsh> void exec(void) { system(&q

CVE-2021-40444 PoC Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution) Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file) You need to install lcab first (sudo apt-get install lcab) Check REPRODUCEmd for manual rep

"Fork" of lockedbytes CVE-2021-40444 PoC Folks, I tried to port his PoC for usage on Win using given modules for that, but I think I messed up at some point Connection to the local server will be established but either my CAB file is corrupt or the generated DOCX Usage All variables will be read from configjson and can be changed there Generate CAB and DOCX pyth

CVE-2021-40444 Analysis This repository contains the deobfuscated exploit code for CVE-2021-40444 as recovered by Immersive Labs during their analysis This repository supports the blog article that can be found at

Fully Weaponized CVE-2021-40444 Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution), works with arbitrary DLL files Background Although many PoC are already around the internet, I guessed to give myself a run to weaponizing this vulnerability, as what I found available lacked valuable information that it's worth sharing, also c

Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444 How to disable ActiveX controls on an individual system 1 To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the reg file extension: Windows Registry Editor Version 500 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Curren

CVE-2021-40444-docx-Generate

CVE-2021-40444 This is just a small PoC for CVE-2021-40444, for demo puposes I used mspaint

CVE-2021-40444 CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability

CVE-2021-40444-CAB CVE-2021-40444 - Custom CAB templates from MakeCAB [%] CVE-2021-40444 - Custom CAB templates with Command [%] [%] python3 pocpy <calccab> <command/filedll> [i] Example: python3 pocpy powershellcab "powershell -C mspaint" python3 pocpy powercab calcdll

CVE-2021-40444-URL-Extractor Python script to extract embedded URLs from doc files (doc, docx, docm, rtf)

VilNE VilNE Scanner What is VilNE? VilNE - Victim Initiated Locale Network Enumerator/Exploiter (Pronounced Villainy) is a tool to show proof of concepts which may highlight the potential attack surface present within an organisation's internal network This attack surface will often be under-estimated with vulnerality management perhaps not giving it the attention that i

CVE-2021-40444

CVE-2021-40444 CVE-2021-40444

CVE-2021-40444 docx Generate docx generate to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution) creeate blank docx file add "Bitmap Iamge" object in "Inert/Object" menu

CVE-2021-40444-Sample CVE-2021-40444 Sample

〖EXP〗Ladon CVE-2021-40444 Office漏洞复现 漏洞概述 北京时间9月8日,绿盟科技CERT监测到微软发布安全通告披露了Microsoft MSHTML 远程代码执行漏洞,攻击者可通过制作恶意的 ActiveX 控件供托管浏览器呈现引擎的 Microsoft Office文档使用,成功诱导用户打开恶意文档后,可在目标系统上以该用户权

YangsirStudyPlan 个人学习与成长计划 由衷感谢成长路上帮助、指点过我的师傅与前辈 浮躁+自我满足+止步不前 == 当代废物+安全行业待转行人员 痛定思痛,不断学习,才能前进,不断前行永远保持左脚在右脚的前面 实践&动手才能出真知,当你不会时,只要动手学习,你就已经成功了

Recent Articles

Microsoft: Windows MSHTML bug now exploited by ransomware gangs
BleepingComputer • Sergiu Gatlan • 16 Sep 2021

Microsoft says multiple threat actors, including ransomware affiliates, are targeting the recently patched Windows MSHTML remote code execution security flaw.
In the wild exploitation of this vulnerability (tracked as
) began on August 18 according to the company, more than two weeks before Microsoft published
.
According to telemetry data analyzed by security analysts at the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (M...

Microsoft Patch Tuesday fixes actively exploited zero‑day and 85 other flaws
welivesecurity • 15 Sep 2021

The arrival of the second Tuesday of the month can only mean one thing in cybersecurity terms, Microsoft is rolling out patches for security vulnerabilities in Windows and its other offerings. This time round Microsoft’s Patch Tuesday brings fixes to no fewer than 86 security loopholes including one that has been both previously disclosed and actively exploited in the wild. Of the grand total, three security flaws received the highest severity rating of “critical”.
Indexed as CVE-2...

Microsoft's end-of-summer software security cleanse crushes more than 80 bugs
The Register • Thomas Claburn in San Francisco • 15 Sep 2021

Get our weekly newsletter Azure agent in Linux guests fixed, MSHTML exploit tackled, and much more – Plus: Adobe and SAP issue updates

Patch Tuesday For its September Patch Tuesday, Microsoft churned out fixes for 66 vulnerabilities alongside 20 Chromium security bugs in Microsoft Edge.
Affected products include: Azure, Edge (Android, Chromium, and iOS), Office, SharePoint Server, Windows, Windows DNS, and the Windows Subsystem for Linux.
Of these CVEs, three are rated critical, one is rated moderate, and the remainder are considered important.
One of the already publicly disclosed CVEs resolves a critical zer...

Microsoft's end-of-summer software security cleanse crushes more than 80 bugs
The Register • Thomas Claburn in San Francisco • 15 Sep 2021

Get our weekly newsletter Patch Tuesday fiesta also sees Adobe and SAP tidying up

Patch Tuesday For its September Patch Tuesday, Microsoft churned out fixes for 66 vulnerabilities, alongside 20 Chromium bugs in Microsoft Edge.
Affected products include: Azure, Edge (Android, Chromium, and iOS), Office, SharePoint Server, Windows, Windows DNS, and the Windows Subsystem for Linux.
Of these CVEs, three are rated critical, one is rated moderate, and the remainder are considered important.
One of the publicly disclosed CVEs, dating back to September 7, resolves a...

Microsoft Patches Actively Exploited Windows Zero-Day Bug
Threatpost • Lisa Vaas • 14 Sep 2021

In September’s Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which – the Windows MSHTML zero-day – has been under active attack for nearly two weeks.
One other bug is listed as publicly known but isn’t (yet) being exploited. Immersive Labs’ Kevin Breen, director of cyber threat research, observed that with only one CVE under active attack in the wild, it’s “quite a light Patch Tuesday” – at leas...

Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug
BleepingComputer • Sergiu Gatlan • 14 Sep 2021

Microsoft today fixed a high severity zero-day vulnerability actively exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers.
The remote code execution (RCE) security flaw, tracked as 
, was found in the MSHTML Internet Explorer browser rendering engine used by Microsoft Office documents.
According to Microsoft, CVE-2021-40444 impacts Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the...

Windows MSHTML zero-day exploits shared on hacking forums
BleepingComputer • Lawrence Abrams • 12 Sep 2021

Threat actors are sharing Windows MSHTML zero-day (CVE-2021-40444) tutorials and exploits on hacking forums, allowing other hackers to start exploiting the new vulnerability in their own attacks.
Last Tuesday, Microsoft disclosed a 
 that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim's computer remotely.
Even though there are no security updates available for the 
, as it was discovered used in acti...

Windows MSHTML zero-day defenses bypassed as new info emerges
BleepingComputer • Lawrence Abrams • 09 Sep 2021

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor's ultimate goal of taking over corporate networks.
This Internet Explorer MSHTML remote code execution vulnerability, tracked as CVE-2021-40444, was 
 but with few details as it has not been patched yet.
The only information shared by Microsoft was that the vulnerability uses malicious ActiveX controls to exploit Office 365 and Of...

Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows
Threatpost • Elizabeth Montalbano • 08 Sep 2021

Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.
Microsoft has not revealed much about the MSHTML bug, tracked as CVE-2021-40444, beyond that it is  “aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” according to an adviso...

Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft
The Register • Iain Thomson in San Francisco • 07 Sep 2021

Get our weekly newsletter ActiveX and MSHTML, the gift that keeps on giving ... to intruders

In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines.
The vulnerability, CVE-2021-40444, is described as a hole in MSHTML, Internet Explorer's browser engine. Miscreants are seemingly placing a malicious ActiveX control in an Office document and convincing victims to open or view it, potentially achieving remote code execution.
"Microsoft is investigating reports o...

Microsoft shares temp fix for ongoing Office 365 zero-day attacks
BleepingComputer • Ionut Ilascu • 07 Sep 2021

Microsoft today shared mitigation for a remote code execution vulnerability in Windows that is being exploited in targeted attacks against Office 365 and Office 2019 on Windows 10.
The flaw is in MSHTML, the browser rendering engine that is also used by Microsoft Office documents.
Identified as CVE-2021-40444, the security issue affects Windows Server 2008 through 2019 and Windows 8.1 through 10 and has a severity level of 8.8 out of the maximum 10.
Microsoft is aware of targe...

Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
BleepingComputer • Lawrence Abrams • 01 Jan 1970

Today is Microsoft's September 2021 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 60 flaws.
Microsoft has fixed 60 vulnerabilities (86 including Microsoft Edge) with today's update, with three classified as Critical, one as Moderate, and 56 as Important.
Of the total 86 vulnerabilities (including Microsoft Edge):
For information about the non-security Windows updates, you can read about today's
.
Microsoft has released a s...

Windows 10 KB5005565 & KB5005566 cumulative updates released
BleepingComputer • Mayank Parmar • 01 Jan 1970

The September 2021 Patch Update is released and Microsoft is now rolling out new KB5005565 and KB5005566 cumulative updates for recent versions of Windows 10.
Today's cumulative updates include security fixes for PCs with May 2021 Update (version 21H1), October 2020 Update (version 20H2), and May 2020 Update (version 2004).
The update is now rolling out via Windows Update, WSUS, and the Microsoft Update Catalog with numerous bug fixes and performance enhancements.
The full l...