A critical vulnerability in Microsoft’s MSHTML Framework has been reportedly exploited by the Russian-affiliated threat group APT28 before it was patched in February 2026. According to Akamai, this high-severity flaw, identified as CVE-2026-21513 with a CVSS score of 8.8, was exploited in the wild as a zero-day.
Understanding the MSHTML Vulnerability
The vulnerability in question involves a security feature bypass within the MSHTML Framework. Microsoft highlighted that this flaw allows unauthorized attackers to circumvent security mechanisms over a network. The issue was addressed during the February 2026 Patch Tuesday, with credits to Microsoft Threat Intelligence Center, Microsoft Security Response Center, Office Product Group Security Team, and Google’s Threat Intelligence Group for their collaborative efforts in identifying the flaw.
The vulnerability can be weaponized by attackers who trick victims into opening a malicious HTML or shortcut (LNK) file delivered via links or email attachments. Upon opening, it alters browser and Windows Shell operations, enabling code execution by bypassing security protections.
APT28’s Exploitation Tactics
APT28’s exploitation of this flaw was highlighted by Akamai, which discovered a malicious file uploaded to VirusTotal on January 30, 2026, linked to the group’s infrastructure. The Computer Emergency Response Team of Ukraine (CERT-UA) also flagged this activity, linking it to previous APT28 exploits involving a different Microsoft Office vulnerability (CVE-2026-21509).
The flaw is rooted in the ‘ieframe.dll’ component that handles hyperlink navigation, resulting from inadequate validation of URLs. This allows attacker-controlled data to traverse code paths that invoke ShellExecuteExW, facilitating the execution of resources outside the browser’s security context.
Technical Insights and Future Threats
Security expert Maor Dahan explained that the exploit involves a Windows Shortcut (LNK) file embedding an HTML document. This file communicates with a domain linked to APT28, known for its extensive use in multi-stage payload campaigns. The exploit manipulates nested iframes and multiple DOM contexts to breach trust boundaries.
Akamai warns that this technique can bypass security measures like Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC), lowering security contexts and allowing malicious code execution outside of the browser sandbox through ShellExecuteExW. While the current campaign utilizes LNK files, any component embedding MSHTML could potentially trigger the vulnerable code path, suggesting a need for vigilance against diverse delivery mechanisms beyond LNK-based phishing.
The discovery of this vulnerability and its exploitation by APT28 underscores the ongoing threat posed by state-sponsored cyber actors. Organizations are urged to apply security patches promptly and remain vigilant against evolving cyber threats.
