Search
On this page ▾
CVE-2024-30040 — Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability

CVE-2024-30040

Windows MSHTML — Zero-Day OLE/COM Protection Bypass via Malicious Document Enables Code Execution Without User Warnings
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is the Windows MSHTML Platform OLE/COM Security Feature?

MSHTML (Trident) is the Windows HTML rendering engine, historically used by Internet Explorer and still present as a system component. Modern versions of Windows include OLE (Object Linking and Embedding) security controls that are designed to restrict how embedded objects in documents — such as ActiveX controls, COM objects, and media files — are loaded and executed. These mitigations were introduced to block document-based phishing attacks that deliver malicious OLE objects, requiring user warnings before content from the internet is rendered in Office or MSHTML contexts. CVE-2024-30040 bypasses these OLE object protections in Microsoft 365 and Office.

Overview

CVE-2024-30040 is a zero-day security feature bypass in the Windows MSHTML Platform that disables OLE mitigations in Microsoft 365 and Office 2019/2021, allowing a malicious document to execute code when opened by a victim — without displaying the security warnings that would normally prompt the user. Microsoft and CISA simultaneously disclosed and patched this as a zero-day on May 14, 2024 (May Patch Tuesday), confirming active exploitation in spear-phishing campaigns.

Affected Versions

Product Status
Microsoft 365 Apps for Enterprise Patched May 2024 Patch Tuesday
Microsoft Office 2019 Patched May 2024 Patch Tuesday
Microsoft Office LTSC 2021 Patched May 2024 Patch Tuesday
Windows 10/11 (MSHTML component) Patched May 2024 Patch Tuesday

Technical Details

CWE-20 (Improper Input Validation). The MSHTML platform's OLE security feature bypass involves a failure to properly validate or enforce access restrictions on OLE/COM object instantiation in certain document processing contexts. When a user opens a malicious Office or HTML document, MSHTML processes embedded OLE content without applying the expected security checks — either skipping the check entirely or failing to block the object based on its origin or type. The result is silent execution of embedded OLE objects (such as custom ActiveX controls or COM automation objects) that would normally be blocked by Protected View or OLE security warnings.

Once an OLE object executes without warnings, an attacker can: download and execute additional payloads, establish persistence, exfiltrate data, and perform lateral movement — all with the privileges of the document-opening user, without any security prompt that might alert or allow the victim to cancel.

The CVSS score of 8.8 with User Interaction Required (UI:R) reflects that the victim must open the document, but no authentication is required and the attack complexity is Low once the victim is engaged via phishing.

Discovery

Confirmed as a zero-day by Microsoft's simultaneous Patch Tuesday disclosure and CISA KEV addition. No specific researcher attribution was included at disclosure, consistent with exploitation being discovered through incident response rather than bug bounty submission.

Exploitation Context

OLE/COM security feature bypass zero-days are a staple of APT and cybercrime phishing campaigns because they eliminate the security warnings that user awareness training teaches employees to recognize. When a "click here, click Enable, click Run" prompt is removed, document-based code execution becomes a single-click attack. This is the primary delivery mechanism for initial access in targeted spear-phishing operations against enterprise, government, and defense contractor targets. The simultaneous Patch Tuesday + CISA KEV combination indicates the attackers had exploited this window before Microsoft identified the bypass internally.

Remediation

  1. Apply the May 2024 Microsoft security updates (Patch Tuesday, May 14, 2024) to all Windows systems and Office/Microsoft 365 installations.
  2. Enable and enforce Protected View for files from the internet and email attachments in Office Group Policy — even after patching, Protected View provides defense-in-depth against future document-based exploits.
  3. Configure Attack Surface Reduction (ASR) rules, particularly rules that block Office applications from creating child processes and block Office from injecting code into other processes.
  4. Deploy Microsoft Defender Application Guard for Office to open untrusted documents in an isolated container environment.
  5. Train users to be suspicious of any Office document that prompts for elevated permissions or displays unexpected security dialogs when opened.

Key Details

PropertyValue
CVE ID CVE-2024-30040
Vendor / Product Microsoft — Windows
NVD Published2024-05-14
NVD Last Modified2025-10-28
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-20 find similar ↗
CISA KEV Added2024-05-14
CISA KEV Deadline2024-06-04
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-06-04. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-05-14Microsoft releases May 2024 Patch Tuesday patching CVE-2024-30040; CISA adds to KEV the same day — confirming zero-day exploitation
2024-06-04CISA BOD 22-01 remediation deadline

References

ResourceType
Microsoft Security Advisory — CVE-2024-30040 Vendor Advisory
NVD — CVE-2024-30040 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML