MSHTML Zero-Day CVE-2026-21513: APT28 Exploitation Before February 2026 Patch

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

APT28 hackers exploited a zero-day flaw in Microsoft’s MSHTML framework before the February 2026 Patch Tuesday fix. Tracked as CVE-2026-21513, this vulnerability carries a CVSS score of 8.8. It allows security bypass and arbitrary code execution on all Windows versions through ieframe.dll.

Akamai researchers spotted the attacks in the wild. They linked the exploits to APT28, a Russian state-sponsored group. The team used PatchDiff-AI to analyze the root cause in the _AttemptShellExecuteForHlinkNavigate function.

Attackers tricked the system with poor URL validation. This let attacker input hit ShellExecuteExW paths. Local or remote files then ran outside browser protections.

Akamai Report: “We analyzed the MSHTML exploit chain used by APT28. Patch immediately.”

Vulnerability Details

FeatureDetails
CVE IDCVE-2026-21513
CVSS Score8.8 (High) ​
Affected Fileieframe.dll
ImpactSecurity bypass, code execution
Patch ReleasedFebruary 2026 Patch Tuesday ​

The flaw hit hyperlink handling hard. Nested iframes and DOM tricks broke trust zones. This dodged Mark of the Web and IE Enhanced Security.

A VirusTotal sample from January 30, 2026, showed the tactic. Named document.doc.LnK.download, it used a crafted .LNK with embedded HTML. It called out to wellnesscaremed[.]com, tied to APT28 campaigns.

Snippet from PatchDiff-AI report, pinpointing the vulnerable code path (Source: Akamai)

Attack Flow

  • User opens malicious .LNK file.
  • Embedded HTML triggers MSHTML navigation.
  • Bad URL validation invokes ShellExecuteExW.
  • Payload runs with elevated rights.

Microsoft patched it by tightening protocol checks. Now file://, http://, and https:// stay in browser context. No more direct shell jumps.

A user warning before the script is executed (Source: Akamai)

Indicators of Compromise

  • Hash: aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa
  • Domain: wellnesscaremed[.]com
  • MITRE Tactics: T1204.001 (LNK), T1566.001 (Phishing)

Apply patches now if not done. Watch for other MSHTML embeds beyond .LNK files.

FAQ

What is CVE-2026-21513?

A high-severity MSHTML flaw for code execution via bad URL checks.

Who exploited it?

APT28, per Akamai threat intel.

How to fix it?

Install February 2026 Windows security updates.

Are other files at risk?

Yes, any MSHTML-hosting component.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages