MSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday Update - CyberSecurityNews

Home Cyber Security News MSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday... MSHTML Framework 0-Day Exploited by APT28 A zero-day vulnerability in the Microsoft HTML (MSHTML) framework was actively exploited in the wild. The vulnerability, tracked as CVE-2026-21513, allows attackers to bypass security features and execute arbitrary files. With a CVSS score of 8.8, it impacts all Windows versions. Security researchers at Akamai discovered that the Russian state-sponsored threat group APT28 was targeting Microsoft before Microsoft released a patch in February 2026. Akamai researchers used PatchDiff-AI, a multi-agent AI system, to perform automated root-cause analysis. They discovered the flaw resides in ieframe.dll, specifically within the _AttemptShellExecuteForHlinkNavigate function, which handles hyperlink navigation. Feature Details CVE ID CVE-2026-21513 CVSS Score 8.8 (High) Affected Component MSHTML Framework (ieframe.dll) Impact Security Feature Bypass, Arbitrary Code Execution Patch Date February 2026 Patch Tuesday The vulnerability stems from insufficient validation of target URLs. This oversight enables attacker-controlled input to reach code paths that invoke ShellExecuteExW. Consequently, local or remote resources can be executed outside the intended browser security context. Snippet from PatchDiff-AI report, pinpointing the vulnerable code path (Source: Akamai) Researchers correlated the vulnerable code path with public threat intelligence and identified a malicious sample on VirusTotal submitted on January 30, 2026. The sample, named document.doc.LnK.download, is linked to infrastructure associated with APT28. The payload uses a specially crafted Windows Shortcut (.lnk) file that embeds an HTML file immediately after the standard LNK structure. Upon execution, the LNK file connects to wellnesscaremed[.]com, a domain attributed to APT28’s multi-stage campaigns. According to Akamai’s analysis, the exploit uses nested iframes and multiple Document Object Model (DOM) contexts to manipulate trust boundaries. A user warning before the script is executed (Source: Akamai) This technique bypasses the Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). By downgrading the security context, the attacker can trigger the vulnerable navigation flow and execute arbitrary code. Microsoft addressed the vulnerability in the February 2026 Patch Tuesday update. The fix introduces stricter validation for hyperlink protocols. It ensures that supported protocols, such as file://, http://, and https://, execute within the browser context rather than being passed directly to ShellExecuteExW. Indicators of Compromise (IOCs) Akamai researchers have provided the following IOCs to assist network defenders: Name Indicator document.doc.LnK aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa Domain wellnesscaremed . .com MITRE Techniques T1204.001, T1566.001 Akamai warns that, while the observed attacks use a specific campaign that employs malicious .LNK files, the vulnerability can be triggered by any component that embeds MSHTML. Organizations are advised to apply the February 2026 security updates to mitigate the risk and remain vigilant against alternative delivery mechanisms. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News New ResokerRAT Uses Telegram Bot API to Control Infected Windows Systems Cyber Security METATRON – Open-Source AI Penetration Testing Assistant Brings Local LLM Analysis to Linux Cyber Security News 36 Malicious npm Strapi Packages Used to Deploy Redis RCE and Persistent C2 Malware Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026