CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs

MSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday Update - CyberSecurityNews

CyberSecurityNews Archived Mar 18, 2026 ✓ Full text saved

MSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday Update CyberSecurityNews

Full text archived locally
✦ AI Summary · Claude Sonnet


    Home Cyber Security News MSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday... MSHTML Framework 0-Day Exploited by APT28 A zero-day vulnerability in the Microsoft HTML (MSHTML) framework was actively exploited in the wild. The vulnerability, tracked as CVE-2026-21513, allows attackers to bypass security features and execute arbitrary files. With a CVSS score of 8.8, it impacts all Windows versions. Security researchers at Akamai discovered that the Russian state-sponsored threat group APT28 was targeting Microsoft before Microsoft released a patch in February 2026. Akamai researchers used PatchDiff-AI, a multi-agent AI system, to perform automated root-cause analysis. They discovered the flaw resides in ieframe.dll, specifically within the _AttemptShellExecuteForHlinkNavigate function, which handles hyperlink navigation. Feature Details CVE ID CVE-2026-21513 CVSS Score 8.8 (High) Affected Component MSHTML Framework (ieframe.dll) Impact Security Feature Bypass, Arbitrary Code Execution Patch Date February 2026 Patch Tuesday The vulnerability stems from insufficient validation of target URLs. This oversight enables attacker-controlled input to reach code paths that invoke ShellExecuteExW. Consequently, local or remote resources can be executed outside the intended browser security context. Snippet from PatchDiff-AI report, pinpointing the vulnerable code path (Source: Akamai) Researchers correlated the vulnerable code path with public threat intelligence and identified a malicious sample on VirusTotal submitted on January 30, 2026. The sample, named document.doc.LnK.download, is linked to infrastructure associated with APT28. The payload uses a specially crafted Windows Shortcut (.lnk) file that embeds an HTML file immediately after the standard LNK structure. Upon execution, the LNK file connects to wellnesscaremed[.]com, a domain attributed to APT28’s multi-stage campaigns. According to Akamai’s analysis, the exploit uses nested iframes and multiple Document Object Model (DOM) contexts to manipulate trust boundaries. A user warning before the script is executed (Source: Akamai) This technique bypasses the Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). By downgrading the security context, the attacker can trigger the vulnerable navigation flow and execute arbitrary code. Microsoft addressed the vulnerability in the February 2026 Patch Tuesday update. The fix introduces stricter validation for hyperlink protocols. It ensures that supported protocols, such as file://, http://, and https://, execute within the browser context rather than being passed directly to ShellExecuteExW. Indicators of Compromise (IOCs) Akamai researchers have provided the following IOCs to assist network defenders: Name Indicator document.doc.LnK aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa Domain wellnesscaremed . .com MITRE Techniques T1204.001, T1566.001 Akamai warns that, while the observed attacks use a specific campaign that employs malicious .LNK files, the vulnerability can be triggered by any component that embeds MSHTML. Organizations are advised to apply the February 2026 security updates to mitigate the risk and remain vigilant against alternative delivery mechanisms. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Iranian Cyber Ops Maintain US Network Footholds, Target Cameras for Regional Surveillance Cyber Security News Google Warns Ransomware Actors Are Shifting Tactics as Profits Fall and Data Theft Rises Cyber Security News Glassworm Hits Popular React Native Packages With Credential-Stealing npm Malware Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026
    💬 Team Notes
    Article Info
    Source
    CyberSecurityNews
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Archived
    Mar 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗