This security bypass vulnerability hit all Windows versions, earned a CVSS score of 8.8, and saw active exploitation in the wild by APT28, Russia’s state-sponsored hackers.
Akamai researchers used PatchDiff-AI to dissect the patch and link it to real attacks.
CVE-2026-21513 hides in ieframe.dll, part of Internet Explorer. It has flaws in hyperlink navigation logic, letting attackers slip past browser safeguards.
Weak URL checks feed malicious input to ShellExecuteExW, which runs local or remote files outside the sandbox.
Attackers bypass Mark of the Web (MotW) and IE Enhanced Security Configuration (IE ESC) using nested iframes and DOM tricks.
A malicious .LNK file, flagged on VirusTotal January 30, 2026, kicks it off. It embeds HTML that phones home to wellnesscaremed[.]com, tied to APT28.
JavaScript like document.Script.open("http:///", "_parent") In iframes dodges warnings, triggers _AttemptShellExecuteForHlinkNavigate, and drops payloads.
This works via any MSHTML host, not just IE, think phishing emails or embedded controls. MITRE tactics: T1204.001 (User Execution: Malicious File) and T1566.001 (Phishing: Spearphishing Attachment).
| CVE ID | CVSS Score | Affected Component | Exploitation Status | Patch Date | Attribution |
|---|---|---|---|---|---|
| CVE-2026-21513 | 8.8 (High) | ieframe.dll (MSHTML) | Actively exploited | Feb 2026 Patch Tuesday | APT28 (Russia) |
Microsoft added strict protocol checks (file://, http://, https://) to keep actions in-browser, blocking ShellExecuteExW abuse. Full mitigation demands the update.
Apply patches now via Microsoft’s guide. Hunt for IOCs below. Tools like Akamai Hunt flag T1204.001 and T1566.001 patterns.
Key IOCs
Expect more vectors beyond LNK phishing. PatchDiff-AI speeds root-cause hunts demo at RSAC 2026. Stay vigilant against APT28’s campaigns.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post APT28 Exploits MSHTML Zero-Day Ahead of February 2026 Patch Tuesday appeared first on Cyber Security News.
Apple is kicking off March with a flurry of product announcements ahead of a “special…
Google is moving its Chrome browser to a two-week release cycle, instead of the current…
Microsoft is moving its annual Build developer conference from Seattle back to San Francisco and…
Since 1988 the Game Developers Conference has been a place where the people that make…
Dungeons & Dragons is taking a page out of the live-service video game play book…
Outlander Season 8 premieres Friday, March 6 on STARZ. New episodes drop weekly on Fridays.After…
This website uses cookies.