CVE-2021-38646

Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability

CVSS 7.8 HIGHEPSS 4.0%● KEV

In short

A vulnerability in Microsoft Office's Access Connectivity Engine allows an attacker to execute malicious code on a computer by tricking a user into opening a specially crafted file. This can lead to complete system compromise.

Technical detail

The vulnerability exists in the Access Connectivity Engine component when processing malformed database files or queries. An attacker can craft a malicious Office document that triggers unsafe code execution during file parsing, bypassing security boundaries and achieving arbitrary code execution in the user's security context.

Summary generated and translated by AI from the official description.

Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Affected products

Microsoft · Microsoft 365 Apps for Enterprise Microsoft · Microsoft Office 2013 Service Pack 1 Microsoft · Microsoft Office 2016 Microsoft · Microsoft Office 2019

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38646 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38646