What is Microsoft Office Access Connectivity Engine?
The Microsoft Office Access Connectivity Engine (ACE), also known as the Microsoft Access Database Engine, is a database driver built into Microsoft Office that provides support for reading and writing Microsoft Access database formats (.mdb, .accdb, .mde, .accde) and other tabular file formats. ACE is used by Microsoft Access, Excel (for importing external data), and other Office applications. ACE processes complex binary file formats that can be sent to users via email or file sharing as a normal part of Office workflows. As a file-parsing component that handles attacker-controlled binary data, vulnerabilities in ACE's file parsing code can be triggered simply by opening a malicious database file in any application that uses the ACE driver.
Overview
CVE-2021-38646 is a remote code execution vulnerability in the Microsoft Office Access Connectivity Engine, patched in September 2021 Patch Tuesday. When a user opens a specially crafted file processed by the ACE database driver (such as a malicious .mdb or .accdb file), an unspecified vulnerability in ACE's parsing code allows arbitrary code execution in the context of the Office application process. The local attack vector (AV:L) reflects that the malicious file must be present on the local system before being opened, but it is typically delivered via phishing email, malicious download, or shared drives. CISA added this to KEV in March 2022, confirming post-patch exploitation in ransomware campaigns.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Microsoft Access 2013 | Yes | September 2021 update |
| Microsoft Access 2016 | Yes | September 2021 update |
| Microsoft Access 2019 | Yes | September 2021 update |
| Microsoft 365 Apps for Enterprise | Yes | September 2021 update |
| Microsoft Office LTSC 2021 | Yes | September 2021 update |
Technical Details
- Root cause: An unspecified vulnerability in the Microsoft Access Connectivity Engine (ACE) file parsing code — ACE vulnerabilities typically involve memory corruption (buffer overflow, use-after-free, or type confusion) when processing malformed binary structures in .mdb/.accdb database files
- Attack vector: Local (AV:L) with no privileges required and user interaction required (PR:N/UI:R) — the victim must open a malicious database file, typically delivered via phishing email or a malicious file share link
- Code execution context: Arbitrary code executes in the context of the application that opened the file (e.g., Microsoft Access, Excel), typically running as the logged-in user. In enterprise environments, this is sufficient for credential harvesting, lateral movement tool installation, and ransomware staging
- File delivery: Malicious .mdb, .accdb, or other ACE-parseable files can be sent via email attachments, web downloads, SharePoint links, or embedded in phishing lures disguised as business forms, data exports, or templates
- Ransomware use: The March 2022 CISA KEV addition with ransomwareUse confirmed indicates that ransomware operators exploited this vulnerability post-patch against organizations that had not applied the September 2021 Office update
Discovery
Reported to Microsoft and patched in September 2021 Patch Tuesday. The six-month gap between the patch (September 2021) and CISA KEV addition (March 2022) reflects post-patch exploitation in enterprise environments with slow Office patch cadence.
Exploitation Context
Office document-based malware delivery is the dominant initial access vector for ransomware and corporate espionage campaigns. The ACE driver processes files that are commonly shared in business workflows — database exports, data analysis files, and business forms — making it a plausible delivery format for targeted phishing. A ransomware operator who compromised an organization's email system or supplier relationship could deliver a malicious Access database file in a context where the victim would naturally open it. The ransomwareUse flag confirms post-patch exploitation in ransomware intrusions throughout late 2021 and early 2022.
Remediation
- Apply September 2021 Office cumulative update for your Office version via Microsoft Update or Office automatic updates
- Enable Microsoft 365 Apps automatic updates: File → Account → Update Options → Enable Updates
- Configure Microsoft Defender for Office 365 Safe Attachments to detonate Office files (including .mdb and .accdb) in a sandboxed environment before delivery to users
- Deploy Attack Surface Reduction (ASR) rules to prevent Office applications from spawning child processes or making Win32 API calls
- Restrict or monitor Access database files (.mdb, .accdb) at the email gateway — these file types are rarely legitimately sent via email and should be blocked or quarantined by default
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-38646 |
| Vendor / Product | Microsoft — Office |
| NVD Published | 2021-09-15 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2022-03-28 |
| CISA KEV Deadline | 2022-04-18 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-09-14 | Microsoft patches CVE-2021-38646 in September 2021 Patch Tuesday |
| 2021-09-15 | CVE published |
| 2022-03-28 | Added to CISA Known Exploited Vulnerabilities catalog — six months after patch, confirming post-patch exploitation in ransomware campaigns |
| 2022-04-18 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2021-38646 | Vendor Advisory |
| NVD — CVE-2021-38646 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |