Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses Microsoft’s September 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-964 on Wednesday, September 15th.

In-The-Wild & Disclosed CVEs


This CVE describes a publicly exploited vulnerability in MSHTML that provides user level access upon successful exploitation. According to Microsoft, a malicious ActiveX control embedded in an Office document could be used to exploit this vulnerability. Attacks have been seen in the wild and Microsoft has included signatures in Microsoft Defender to detect and protect against the known attacks.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.


A local vulnerability in Windows DNS could allow for privilege escalation. The vulnerability only impacts Windows 7 and Server 2008 / Server 2008 R2. The vulnerability has been disclosed but it has not yet been exploited publicly. 

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.

  • Traditional Software
  • Mobile Software
  • Cloud or Cloud Adjacent
  • Vulnerabilities that are being exploited or that have been disclosed will be bold.
TagCVE CountCVEs
Microsoft Edge for Android1CVE-2021-26439
Windows BitLocker1CVE-2021-38632
Microsoft Office Word1CVE-2021-38656
Windows Key Storage Provider1CVE-2021-38624
Windows Installer2CVE-2021-36961, CVE-2021-36962
Visual Studio3CVE-2021-36952, CVE-2021-26437, CVE-2021-26434
Windows Common Log File System Driver3CVE-2021-36955, CVE-2021-36963, CVE-2021-38633
Azure Open Management Infrastructure4CVE-2021-38645, CVE-2021-38647, CVE-2021-38648, CVE-2021-38649
Microsoft Office SharePoint2CVE-2021-38651, CVE-2021-38652
Windows Authenticode1CVE-2021-36959
Microsoft Windows Codecs Library1CVE-2021-38661
Windows Redirected Drive Buffering4CVE-2021-36969, CVE-2021-36973, CVE-2021-38635, CVE-2021-38636
Microsoft Accessibility Insights for Android1CVE-2021-40448
Microsoft Office Visio2CVE-2021-38653, CVE-2021-38654
Microsoft Office Excel2CVE-2021-38655, CVE-2021-38660
Dynamics Business Central Control1CVE-2021-40440
Windows Ancillary Function Driver for WinSock2CVE-2021-38628, CVE-2021-38638
Windows Event Tracing2CVE-2021-36964, CVE-2021-38630
Windows Kernel2CVE-2021-38625, CVE-2021-38626
Windows TDX.sys1CVE-2021-38629
Microsoft Office4CVE-2021-38650, CVE-2021-38657, CVE-2021-38658, CVE-2021-38659
Windows Bind Filter Driver1CVE-2021-36954
Azure Sphere1CVE-2021-36956
Windows Subsystem for Linux1CVE-2021-36966
Windows MSHTML Platform1CVE-2021-40444
Windows Scripting1CVE-2021-26435
Windows Win32K2CVE-2021-36975, CVE-2021-38639
Microsoft Office Access1CVE-2021-38646
Windows Print Spooler Components3CVE-2021-38667, CVE-2021-38671, CVE-2021-40447
Microsoft Windows DNS1CVE-2021-36968
Microsoft MPEG-2 Video Extension1CVE-2021-38644
Windows Storage1CVE-2021-38637
Windows WLAN Service1CVE-2021-36967
Microsoft Edge (Chromium-based)25CVE-2021-26436, CVE-2021-38641, CVE-2021-38642, CVE-2021-38669, CVE-2021-36930, CVE-2021-30606, CVE-2021-30607, CVE-2021-30608, CVE-2021-30609, CVE-2021-30610, CVE-2021-30611, CVE-2021-30612, CVE-2021-30613, CVE-2021-30614, CVE-2021-30615, CVE-2021-30616, CVE-2021-30617, CVE-2021-30618, CVE-2021-30619, CVE-2021-30620, CVE-2021-30621, CVE-2021-30622, CVE-2021-30623, CVE-2021-30624, CVE-2021-30632
Windows WLAN Auto Config Service1CVE-2021-36965
Windows SMB3CVE-2021-36960, CVE-2021-36972, CVE-2021-36974
Windows Update1CVE-2021-38634

Other Information

There were no additional advisories included with the September Security Guidance.