CVE-2021-38646
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
Vexday Risk Score
51Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.8EPSS 4.0%KEV simPoC —Nuclei —Metasploit —Patch —
Lifecycle
15 Sep 2021Published on NVD
28 Mar 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
A vulnerability in Microsoft Office's Access Connectivity Engine allows an attacker to execute malicious code on a computer by tricking a user into opening a specially crafted file. This can lead to complete system compromise.
Technical detail
The vulnerability exists in the Access Connectivity Engine component when processing malformed database files or queries. An attacker can craft a malicious Office document that triggers unsafe code execution during file parsing, bypassing security boundaries and achieving arbitrary code execution in the user's security context.
Summary generated and translated by AI from the official description.
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C