APT28 Exploits Unpatched MSHTML Vulnerability CVE-2026-21513 Before February 2026 Patch Tuesday
Recently Discovered Vulnerability in MSHTML Framework Linked to Russia-Based Threat Group
A recently discovered vulnerability in the MSHTML Framework, tracked as CVE-2026-21513, has been linked to the Russia-based threat group APT28.
The high-severity security feature bypass, which carries a CVSS score of 8.8, was patched by Microsoft as part of its February 2026 Patch Tuesday update.
Vulnerability Details
According to Microsoft, the vulnerability allows an unauthorized attacker to bypass a security feature over a network, potentially leading to code execution.
An attacker could exploit the vulnerability by tricking a victim into opening a malicious HTML file or shortcut (LNK) file, which would manipulate browser and Windows Shell handling, causing the content to be executed by the operating system.
Malicious Artifact Identified
Akamai researchers identified a malicious artifact associated with APT28’s infrastructure, which was uploaded to VirusTotal on January 30, 2026.
The sample is linked to a domain attributed to APT28, wellnesscaremed[.]com, and involves a specially crafted Windows Shortcut (LNK) file that embeds an HTML file.
The LNK file initiates communication with the domain, leveraging nested iframes and multiple DOM contexts to manipulate trust boundaries.
Exploitation Technique
The exploit takes advantage of insufficient validation of the target URL in the \”ieframe.dll\” logic, allowing attacker-controlled input to reach code paths that invoke ShellExecuteExW.
This enables the execution of local or remote resources outside the intended browser security context, effectively bypassing Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC).
Security researchers warn that the vulnerable code path can be triggered through any component embedding MSHTML, making it possible for attackers to use various delivery mechanisms beyond LNK-based phishing.
The technique allows an attacker to downgrade the security context and execute malicious code outside of the browser sandbox via ShellExecuteExW.
Attribution and Mitigation
The exploitation of CVE-2026-21513 is attributed to APT28, a Russia-linked state-sponsored threat group.
The vulnerability is a high-severity security feature bypass that could lead to code execution if exploited successfully.
The patch for this vulnerability was released as part of Microsoft’s February 2026 Patch Tuesday update.
About Author
English