Microsoft MSHTML Vulnerability | September 2021

Threat actors are actively exploiting vulnerabilities in Microsoft MSHTML engine which could allow remote code execution. Here's what you need to know.


On September 7, 2021, Microsoft Security Response Center (MSRC) reported on a security vulnerability, CVE-2021-40444, in the MSHTML engine. MSHTML, also known as Trident, is the engine used for Internet Explorer and for rendering web based content in Microsoft Office applications.  The zero day exploit allowed a threat actor to send a specifically crafted Microsoft Office document that when opened would download and execute malicious files. While original exploits would have required the user to click through a warning to execute, newer versions of the exploit allow for the exploit to occur without the user clicking through a warning. 

Quick facts: what you need to know now

  • Successful exploitation will lead to the ability for a threat actor to execute malicious code on the system. 
  • Executed malicious code will lead to post exploitation activity that could include the installation of malware and ransomware attacks.

Next Steps for All Microsoft Windows Customers:

  1. Patch systems to the latest OS version.
  2. Disable ActiveX controls if it is not required for the business.
  3. Ensure users are trained in security and phishing awareness.
  4. If you find any suspicious activity, immediately disable remote access on the device and notify Corvus of a potential claim via (Cyber policyholders) or (Tech E&O policyholders).  We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.

If you have any questions, please reach to the Risk + Response Team at!