APT28 Fixed CVE-2026-21513 MSHTML 0 Days Exploit Before Feb 2026 Patch Tuesday
A newly disclosed security flaw patched by Microsoft may have been exploited by a Russian state-sponsored threat actor known as APT28, according to new findings from Akamai.
The vulnerability in question CVE-2026-21513 (CVSS score: 8.8), the most severe security feature affecting the MSHTML Framework.
“A security failure in the MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network,” Microsoft notes in its advisory about the flaw. It was fixed by the Windows maker as part of its February 2026 Patch Tuesday update.
However, the technology giant also noted that the vulnerability has been used as a zero-day in real-world attacks, given by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and the Office Product Group Security Team, as well as the Google Threat Intelligence Group (GTIG), for reporting it.
In the case of a hypothetical attack, a threat actor may exploit the vulnerability by persuading the victim to open a malicious HTML file or shortcut file (LNK) delivered via a link or as an email attachment.
Once the created file is opened, it takes over the browser and Windows Shell management, causing the content to be used by the application, Microsoft noted. This, in turn, allows an attacker to bypass security features and gain access to code.
Although the company has not officially shared any details about the zero-day exploit attempt, Akamai said it identified a malicious artifact that was uploaded to VirusTotal on January 30, 2026, and is associated with infrastructure connected to APT28.
It is worth noting that the sample was flagged by the Computer Emergency Response Team of Ukraine (CERT-UA) at the beginning of last month regarding the APT28 attack exploiting another security flaw in Microsoft Office (CVE-2026-21509, CVSS score: 7.8).
The web infrastructure company said that CVE-2026-21513 is based on logic inside “ieframe.dll” that handles link navigation, and that it is the result of insufficient validation of the target URL, allowing attacker-controlled input to access code paths that invoke ShellExecuteExW. This, in turn, enables the use of local or remote resources outside the intended security context of the browser.
“This payload includes a specially designed Windows Shortcut (LNK) that embeds an HTML file immediately after the standard LNK structure,” said security researcher Maor Dahan. “The LNK file starts connecting to a well-maintained domain[.]com, which is powered by APT28 and has been widely used in paying for multiple campaign categories. Exploitable exploits include iframes and multiple DOM instances to implement trust parameters.”
Akamai noted that this approach makes it easier for an attacker to bypass Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC), leading to a degradation of the security context and ultimately facilitating the execution of malicious code outside the browser sandbox via ShellExecuteExW.
“When a targeted campaign uses malicious LNK files, the vulnerable code path can be initiated via any embedded MSHTML component,” the company added. “Therefore, additional delivery methods beyond LNK-based phishing are to be expected.”
