APT28 Exploitation of MSHTML Zero-Day CVE-2026-21513 via Malicious HTML/LNK Files
Akamai reported that Russia-linked APT28 likely exploited CVE-2026-21513 (CVSS 8.8), a high-severity MSHTML security feature bypass, prior to Microsoft’s fix in the February 2026 Patch Tuesday release. Microsoft confirmed the vulnerability was exploited as a zero-day in real-world attacks and credited MSTIC, MSRC, the Office Product Group Security Team, and Google Threat Intelligence Group (GTIG) for reporting it. The issue is described as an Internet Explorer/MSHTML security control bypass that can be triggered when a victim opens a malicious HTML page or LNK (shortcut) file, potentially enabling code execution by causing content to be handled by Windows shell mechanisms.
Technical analysis from Akamai tied the root cause to hyperlink navigation logic in ieframe.dll, where insufficient URL validation can allow attacker-controlled input to reach ShellExecuteExW, enabling execution outside the browser sandbox. Akamai identified an exploit-related artifact (described as document.doc.LnK.download) uploaded to VirusTotal on January 30, 2026, and associated it with infrastructure linked to APT28; reporting also noted the sample had been flagged by CERT-UA in the context of APT28 activity. Overall, the reporting indicates active pre-patch exploitation and reinforces the need to prioritize patching and to monitor for delivery vectors involving HTML and LNK attachments/links consistent with APT28 tradecraft.
Timeline
Mar 2, 2026
Akamai links MSHTML zero-day exploitation to APT28
Akamai reported that Russia-linked APT28 likely exploited CVE-2026-21513 before Microsoft's patch, based on analysis of the January sample and related infrastructure. The researchers also disclosed technical details showing insufficient URL validation in ieframe.dll could bypass Mark-of-the-Web and Internet Explorer Enhanced Security Configuration, allowing execution outside the browser sandbox.
Feb 10, 2026
Microsoft patches CVE-2026-21513 in February Patch Tuesday
Microsoft fixed CVE-2026-21513, a high-severity MSHTML security feature bypass flaw, in its February 2026 Patch Tuesday updates. The company said the vulnerability had been exploited as a zero-day in real-world attacks and credited MSTIC, MSRC, the Office security team, and Google GTIG for reporting it.
Jan 30, 2026
Exploit sample for CVE-2026-21513 uploaded to VirusTotal
A malicious sample later tied to exploitation of CVE-2026-21513 was uploaded to VirusTotal on 2026-01-30. Akamai linked the artifact, including communication with wellnesscaremed[.]com, to infrastructure associated with APT28.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Affected Products
Sources
Related Stories
Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed **59 vulnerabilities** across Windows, Azure, Microsoft Office, and Visual Studio Code, including **5 Critical** issues. NSFOCUS reported that **six vulnerabilities were already being exploited in the wild**, including **MSHTML Framework Security Feature Bypass (CVE-2026-21513)**, **Windows Shell Security Feature Bypass (CVE-2026-21510)**, **Microsoft Word Security Feature Bypass (CVE-2026-21514)**, **Desktop Window Manager EoP (CVE-2026-21519)**, **Windows Remote Access Connection Manager DoS (CVE-2026-21525)**, and **Windows Remote Desktop Service EoP (CVE-2026-21533)**. Akamai attributed active exploitation of **CVE-2026-21513** to **APT28**, reporting the flaw affects all supported Windows versions and enables a **security feature bypass leading to arbitrary file execution** (CVSS **8.8**). Akamai’s root-cause analysis placed the issue in `ieframe.dll`, in the `_AttemptShellExecuteForHlinkNavigate` hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking `ShellExecuteExW`, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as `document.doc.LnK.download`) to APT28-associated infrastructure and described use of a crafted **`.lnk`** that embeds an HTML file and contacts **`wellnesscaremed[.]com`** as part of the exploitation chain prior to Microsoft’s February patch release.
1 months ago
Actively Exploited Microsoft MSHTML Framework Zero-Day (CVE-2026-21513)
Microsoft issued an urgent fix for an actively exploited **MSHTML (Trident) security feature bypass** tracked as **CVE-2026-21513** (CVSS **8.8**), which allows attackers to circumvent Windows security prompts and protections without requiring elevated privileges. Reported exploitation relies on **social engineering** to get a user to open specially crafted content—such as malicious HTML or shortcut (`.lnk`) files—delivered via email attachments, links, or downloads; the weakness is described as a **protection mechanism failure** (CWE-693) in how Windows Shell and MSHTML handle embedded content and validation. CISA added **CVE-2026-21513** to the **Known Exploited Vulnerabilities (KEV)** catalog with required action to apply vendor mitigations/patches per Microsoft guidance and a remediation due date of **2026-03-03**, reinforcing that exploitation is occurring and prioritization is warranted. Separate reporting also described other Microsoft zero-days patched in the same timeframe—**Microsoft Word OLE mitigation bypass** (**CVE-2026-21514**) and a **Windows Desktop Window Manager (dwm.exe) privilege escalation** (**CVE-2026-21519**)—but those are distinct vulnerabilities and not part of the MSHTML-specific KEV entry.
1 months ago
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
3 days ago