Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed 59 vulnerabilities across Windows, Azure, Microsoft Office, and Visual Studio Code, including 5 Critical issues. NSFOCUS reported that six vulnerabilities were already being exploited in the wild, including MSHTML Framework Security Feature Bypass (CVE-2026-21513), Windows Shell Security Feature Bypass (CVE-2026-21510), Microsoft Word Security Feature Bypass (CVE-2026-21514), Desktop Window Manager EoP (CVE-2026-21519), Windows Remote Access Connection Manager DoS (CVE-2026-21525), and Windows Remote Desktop Service EoP (CVE-2026-21533).
Akamai attributed active exploitation of CVE-2026-21513 to APT28, reporting the flaw affects all supported Windows versions and enables a security feature bypass leading to arbitrary file execution (CVSS 8.8). Akamai’s root-cause analysis placed the issue in ieframe.dll, in the _AttemptShellExecuteForHlinkNavigate hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking ShellExecuteExW, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as document.doc.LnK.download) to APT28-associated infrastructure and described use of a crafted .lnk that embeds an HTML file and contacts wellnesscaremed[.]com as part of the exploitation chain prior to Microsoft’s February patch release.
Timeline
Mar 4, 2026
NSFOCUS issues advisory urging prioritization of February exploited CVEs
NSFOCUS CERT published an advisory summarizing Microsoft's February 2026 security updates and highlighted CVE-2026-21513 as one of the in-the-wild exploited vulnerabilities requiring urgent attention. The notice recommended prompt patching and verification of update installation across affected Microsoft products.
Mar 2, 2026
Akamai publishes technical analysis attributing CVE-2026-21513 to APT28
Akamai researchers disclosed technical details of CVE-2026-21513 exploitation, including the root cause in ieframe.dll, the use of nested iframes and multiple DOM contexts, and the bypass of Mark of the Web and Internet Explorer Enhanced Security Configuration. The analysis also described use of PatchDiff-AI and correlation with a malicious sample on VirusTotal tied to APT28 infrastructure.
Feb 11, 2026
CISA adds six February zero-days to KEV catalog
On 2026-02-11, CISA added the six actively exploited vulnerabilities addressed in Microsoft's February Patch Tuesday updates, including CVE-2026-21513, to its Known Exploited Vulnerabilities catalog. The agency ordered Federal Civilian Executive Branch agencies to remediate the flaws by 2026-03-03.
Feb 11, 2026
Microsoft releases February 2026 Patch Tuesday fixes for CVE-2026-21513
On 2026-02-11, Microsoft released its February security updates, patching 59 vulnerabilities across multiple products, including the MSHTML security feature bypass CVE-2026-21513. Microsoft reported CVE-2026-21513 among six vulnerabilities already exploited in the wild and updated hyperlink protocol validation to prevent unsafe execution outside the browser context.
Feb 11, 2026
APT28 exploits MSHTML zero-day CVE-2026-21513 in the wild
A zero-day in Microsoft's MSHTML framework, CVE-2026-21513, was exploited before a patch was available. Akamai attributed the activity to the Russian state-sponsored group APT28, which used a crafted .lnk file and infrastructure including wellnesscaremed[.]com to trigger arbitrary file or code execution and bypass browser security boundaries.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
APT28 Exploitation of MSHTML Zero-Day CVE-2026-21513 via Malicious HTML/LNK Files
Akamai reported that **Russia-linked APT28** likely exploited **CVE-2026-21513** (CVSS **8.8**), a high-severity **MSHTML** security feature bypass, prior to Microsoft’s fix in the **February 2026 Patch Tuesday** release. Microsoft confirmed the vulnerability was exploited as a **zero-day** in real-world attacks and credited **MSTIC**, **MSRC**, the **Office Product Group Security Team**, and **Google Threat Intelligence Group (GTIG)** for reporting it. The issue is described as an Internet Explorer/MSHTML security control bypass that can be triggered when a victim opens a **malicious HTML page** or **LNK (shortcut) file**, potentially enabling code execution by causing content to be handled by Windows shell mechanisms. Technical analysis from Akamai tied the root cause to hyperlink navigation logic in `ieframe.dll`, where insufficient URL validation can allow attacker-controlled input to reach `ShellExecuteExW`, enabling execution outside the browser sandbox. Akamai identified an exploit-related artifact (described as `document.doc.LnK.download`) uploaded to VirusTotal on **January 30, 2026**, and associated it with infrastructure linked to **APT28**; reporting also noted the sample had been flagged by **CERT-UA** in the context of APT28 activity. Overall, the reporting indicates active pre-patch exploitation and reinforces the need to prioritize patching and to monitor for delivery vectors involving HTML and LNK attachments/links consistent with APT28 tradecraft.
1 months ago
Actively Exploited Microsoft MSHTML Framework Zero-Day (CVE-2026-21513)
Microsoft issued an urgent fix for an actively exploited **MSHTML (Trident) security feature bypass** tracked as **CVE-2026-21513** (CVSS **8.8**), which allows attackers to circumvent Windows security prompts and protections without requiring elevated privileges. Reported exploitation relies on **social engineering** to get a user to open specially crafted content—such as malicious HTML or shortcut (`.lnk`) files—delivered via email attachments, links, or downloads; the weakness is described as a **protection mechanism failure** (CWE-693) in how Windows Shell and MSHTML handle embedded content and validation. CISA added **CVE-2026-21513** to the **Known Exploited Vulnerabilities (KEV)** catalog with required action to apply vendor mitigations/patches per Microsoft guidance and a remediation due date of **2026-03-03**, reinforcing that exploitation is occurring and prioritization is warranted. Separate reporting also described other Microsoft zero-days patched in the same timeframe—**Microsoft Word OLE mitigation bypass** (**CVE-2026-21514**) and a **Windows Desktop Window Manager (dwm.exe) privilege escalation** (**CVE-2026-21519**)—but those are distinct vulnerabilities and not part of the MSHTML-specific KEV entry.
1 months ago
Actively exploited Microsoft zero-days patched in February security updates
Microsoft disclosed and patched multiple **actively exploited** vulnerabilities as part of its February security updates, including a Microsoft Word security feature bypass tracked as **CVE-2026-21514**. The Word flaw (CVSS 7.8; CWE-807) allows attackers to bypass **Object Linking and Embedding (OLE)**-related mitigations by abusing how Word makes security decisions based on untrusted inputs; exploitation is described as requiring a crafted document and **user interaction** (e.g., opening a phishing-delivered file) while avoiding typical prompts such as Protected View or “Enable Content” warnings. Microsoft also addressed an in-the-wild exploited Windows **Desktop Window Manager (dwm.exe)** elevation-of-privilege vulnerability, **CVE-2026-21519** (CVSS 7.8), which can allow a **local** attacker to escalate from a standard user context to **SYSTEM**. The February update review also lists additional exploited issues patched in the same release, including security feature bypasses in **Windows Shell (CVE-2026-21510)** and **Internet Explorer (CVE-2026-21513)**, plus other exploited vulnerabilities (e.g., **Windows Remote Desktop Services EoP CVE-2026-21533**), underscoring that defenders should prioritize rapid deployment of the February fixes across affected Windows and Office estates.
1 months ago