{"id":42909,"date":"2021-09-09T00:00:00","date_gmt":"2021-09-09T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html"},"modified":"2021-09-09T00:00:00","modified_gmt":"2021-09-09T00:00:00","slug":"remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/","title":{"rendered":"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/windows-zero-day\/Windows-0day-main.jpg\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"endpoints,exploits &amp; vulnerabilities,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-09-09\"> <meta property=\"article:tag\" content=\"exploits &amp; vulnerabilities\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html\"> <title>Remote Code Execution Zero-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html\"><br \/>\n<meta property=\"og:title\" content=\"Remote Code Execution Zero-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/windows-zero-day\/Windows-0day-main.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Remote Code Execution Zero-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/windows-zero-day\/Windows-0day-main.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.623104093081\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1129131742\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.3165236051502\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.24678111588\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits &amp; Vulnerabilities<\/p>\n<p class=\"article-details__description\">Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger.<\/p>\n<p class=\"article-details__author-by\">By: Trend Micro <time class=\"article-details__date\">September 09, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"38.327137546468\">\n<div readability=\"23.954460966543\">\n<p>Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-40444\" target=\"_blank\" rel=\"noopener\">CVE-2021-40444<\/a>) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger. It should be noted that by default, Office documents downloaded from the internet are opened either in <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653\" target=\"_blank\" rel=\"noopener\">Protected View<\/a> or <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46\" target=\"_blank\" rel=\"noopener\">Application Guard<\/a>, both of which would mitigate this particular attack.<\/p>\n<p>If the attacker <i>is<\/i> able to convince the victim to download the file and bypass any mitigation, it would trigger the vulnerability and cause a malicious file to be downloaded and run on the affected machine. Currently, this vulnerability is used to deliver Cobalt Strike payloads.<\/p>\n<p>Microsoft has issued an official bulletin covering this vulnerability. This blog entry discusses how the exploit may work, as well as Trend Micro solutions.<\/p>\n<p>We have obtained multiple samples of documents that exploit this vulnerability. The documents all contain the following code in the <i>document.xml.rels<\/i> file in their package:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/windows-zero-day\/zero-day-2021-4044-figure1.png\" alt=\"Figure 1. Code with XML relationships\"><figcaption>Figure 1. Code with XML relationships<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Note the presence of a URL (which we have removed) that downloads a file titled <i>side.html<\/i> (SHA-256: d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6). This file contained obfuscated JavaScript; the image in Figure 2 shows part of the deobfuscated code.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/windows-zero-day\/zero-day-2021-4044-figure2.png\" alt=\"Figure 2. Deobfuscated JavaScript code\"><figcaption>Figure 2. Deobfuscated JavaScript code<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Several actions can be seen in this code: it downloads a .CAB file, extracts a .DLL file from the said .CAB file, and uses path traversal attacks to run the file (which is named <i>championship.inf<\/i>).<\/p>\n<p>Eventually, this leads to the execution of the <i>championship.inf<\/i> file, as seen below:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/windows-zero-day\/zero-day-2021-4044-figure3.png\" alt=\"Figure 3. Properties for execution of payload\"><figcaption>Figure 3. Properties for execution of payload<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.938388625592\">\n<div class=\"responsive-table-wrap\" readability=\"19.39336492891\">\n<p>This payload is a Cobalt Strike beacon (SHA-256: 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b), which we detect as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/Backdoor.Win64.COBEACON.OSLJAU\" target=\"_blank\" rel=\"noopener\">Backdoor.Win64.COBEACON.OSLJAU<\/a>. As is typically the case with Cobalt Strike, this could allow an attacker to take control of the affected system. The malicious Office files are detected as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/trojan.w97m.cve202140444.a\" target=\"_blank\" rel=\"noopener\">Trojan.W97M.CVE202140444.A<\/a>, with the malicious .CAB file detected as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/Trojan.Win64.COBEACON.SUZ\" target=\"_blank\" rel=\"noopener\">Trojan.Win64.COBEACON.SUZ<\/a>.<\/p>\n<p>As we noted earlier, Microsoft has yet to release an official patch. We reiterate our long-standing advice to avoid opening files from unexpected sources, which could considerably lower the risk of this threat as it requires the user to actually open the malicious file.<\/p>\n<p>We will update this post as necessary if more information becomes available. Updates on Trend Micro solutions can be found on this <a href=\"https:\/\/success.trendmicro.com\/solution\/000288999\" target=\"_blank\" rel=\"noopener\">knowledge base page<\/a>.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"12\">\n<tr>\n<td><b>SHA-256<\/b><\/td>\n<td><b>File Description<\/b><\/td>\n<td><b>Detection Name<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00<\/td>\n<td>Payload (CAB)<\/td>\n<td>Trojan.Win64.COBEACON.SUZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185<\/td>\n<td rowspan=\"6\">Exploited Doc<\/td>\n<td rowspan=\"6\">Trojan.W97M.CVE202140444.A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>a5f55361eff96ff070818640d417d2c822f9ae1cdd7e8fa0db943f37f6494db9<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b<\/td>\n<td>Payload (DLL)<\/td>\n<td>Backdoor.Win64.COBEACON.OSLJAU<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6<\/td>\n<td>Downloaded JS<\/td>\n<td>Trojan.JS.TIVEX.A<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"15\">\n<tr>\n<td><b>URL<\/b><\/td>\n<td><b>Category<\/b><\/td>\n<\/tr>\n<tr>\n<td>hxxp:\/\/hidusi[.]com\/<\/td>\n<td rowspan=\"5\">Malware Accomplice<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/hidusi[.]com\/e273caf2ca371919\/mountain[.]html<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/hidusi[.]com\/94cc140dcee6068a\/help[.]html<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/hidusi[.]com\/e8c76295a5f9acb7\/side[.]html<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/hidusi[.]com\/e8c76295a5f9acb7\/ministry[.]cab<\/td>\n<\/tr>\n<tr>\n<td>hxxps:\/\/joxinu[.]com<\/td>\n<td rowspan=\"5\">C&amp;C Server<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/joxinu[.]com\/hr[.]html<\/td>\n<\/tr>\n<tr>\n<td>hxxps:\/\/dodefoh[.]com<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/dodefoh[.]com\/ml[.]html<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/pawevi[.]com\/e32c8df2cf6b7a16\/specify.html<\/td>\n<\/tr>\n<tr>\n<td>hxxp:\/\/sagoge[.]com\/\u202f<\/td>\n<td rowspan=\"11\">Malware Accomplice<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/comecal[.]com\/\u202f<\/td>\n<\/tr>\n<tr>\n<td>hxxps:\/\/rexagi[.]com\/\u202f<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/sagoge[.]com\/get_load\u202f<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/comecal[.]com\/static-directory\/templates[.]gif<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/comecal[.]com\/ml[.]js?restart=false\u202f<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/comecal[.]com\/avatars<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/rexagi[.]com:443\/avatars<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/rexagi[.]com\/ml[.]js?restart=false<\/td>\n<\/tr>\n<tr>\n<td>hxxps:\/\/macuwuf[.]com\u202f<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps:\/\/macuwuf[.]com\/get_load<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":42910,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9555,9509],"class_list":["post-42909","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-09T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1114\" \/>\n\t<meta property=\"og:image:height\" content=\"228\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs\",\"datePublished\":\"2021-09-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/\"},\"wordCount\":806,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/\",\"name\":\"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png\",\"datePublished\":\"2021-09-09T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png\",\"width\":1114,\"height\":228},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/","og_locale":"en_US","og_type":"article","og_title":"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-09-09T00:00:00+00:00","og_image":[{"width":1114,"height":228,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs","datePublished":"2021-09-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/"},"wordCount":806,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/","url":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/","name":"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png","datePublished":"2021-09-09T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs.png","width":1114,"height":228},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/remote-code-execution-0-day-cve-2021-40444-hits-windows-triggered-via-office-docs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42909"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42909\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42910"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}