A just lately disclosed safety flaw patched by Microsoft could have been exploited by the Russia-linked state-sponsored menace actor often called APT28, in response to new findings from Akamai.
The vulnerability in query is CVE-2026-21513 (CVSS rating: 8.8), a high-severity safety characteristic bypass affecting the MSHTML Framework.
“Safety mechanism failure in MSHTML Framework permits an unauthorized attacker to bypass a safety characteristic over a community,” Microsoft famous in its advisory for the flaw. It was mounted by the Home windows maker as a part of its February 2026 Patch Tuesday replace.
Nevertheless, the tech large additionally famous that the vulnerability had been exploited as a zero-day in real-world assaults, crediting the Microsoft Menace Intelligence Middle (MSTIC), Microsoft Safety Response Middle (MSRC), and Workplace Product Group Safety Group, together with Google Menace Intelligence Group (GTIG), for reporting it.
In a hypothetical assault state of affairs, a menace actor may weaponize the vulnerability by persuading a sufferer to open a malicious HTML file or shortcut (LNK) file delivered by a hyperlink or as an e mail attachment.
As soon as the crafted file is opened, it manipulates browser and Home windows Shell dealing with, inflicting the content material to be executed by the working system, Microsoft famous. This, in flip, permits the attacker to bypass security measures and probably obtain code execution.
Whereas the corporate has not formally shared any particulars concerning the zero-day exploitation effort, Akamai stated it recognized a malicious artifact that was uploaded to VirusTotal on January 30, 2026, and is related to infrastructure linked to APT28.
It is price noting that the pattern was flagged by the Pc Emergency Response Group of Ukraine (CERT-UA) early final month in reference to APT28’s assaults exploiting one other safety flaw in Microsoft Workplace (CVE-2026-21509, CVSS rating: 7.8).
The net infrastructure firm stated CVE-2026-21513 is rooted within the logic inside “ieframe.dll” that handles hyperlink navigation, and that it is the results of inadequate validation of the goal URL, which permits attacker-controlled enter to achieve code paths that invoke ShellExecuteExW. This, in flip, allows execution of native or distant sources exterior the meant browser safety context.
“This payload entails a specifically crafted Home windows Shortcut (LNK) that embeds an HTML file instantly after the usual LNK construction,” safety researcher Maor Dahan stated. “The LNK file initiates communication with the area wellnesscaremed[.]com, which is attributed to APT28 and has been in in depth use for the marketing campaign’s multistage payloads. The exploit leverages nested iframes and a number of DOM contexts to control belief boundaries.”
Akamai famous that the method makes it doable for an attacker to bypass Mark-of-the-Net (MotW) and Web Explorer Enhanced Safety Configuration (IE ESC), resulting in a downgrade of the safety context and in the end facilitating the execution of malicious code exterior of the browser sandbox by way of ShellExecuteExW.
“Whereas the noticed marketing campaign leverages malicious LNK information, the weak code path will be triggered by any element embedding MSHTML,” the corporate added. “Subsequently, further supply mechanisms past LNK-based phishing ought to be anticipated.”
