MSHTML Zero-Day in Windows Exploited by APT28 Prior to Feb 2026 Security Update - gbhackers.com

MSHTML Zero-Day in Windows Exploited by APT28 Cyber Security NewsWindowsZero-Day 2 min.Read MSHTML Zero-Day in Windows Exploited by APT28 Prior to Feb 2026 Security Update By Divya March 2, 2026 Share Facebook Twitter Pinterest WhatsApp Microsoft released its Patch Tuesday updates, addressing 59 vulnerabilities, including a critical zero-day flaw in the Windows MSHTML framework. Tracked as CVE-2026-21513, this actively exploited vulnerability allows attackers to bypass security features and execute arbitrary code. APT28 is a well-documented advanced persistent threat group known for sophisticated malware campaigns. Security researchers from Akamai discovered that the Russian state-sponsored threat group, APT28, was exploiting this flaw in the wild before the official patch was available. Vulnerability Overview Feature Details CVE ID CVE-2026-21513 CVSS Score 8.8 (High) Vulnerability Type Security Feature Bypass Affected Component MSHTML Framework (ieframe.dll) Threat Actor APT28 (Russian State-Sponsored) Exploitation Status Actively Exploited In-the-Wild The vulnerability originates in the ieframe.dll component, which manages hyperlink navigation for Internet Explorer. The code lacked proper validation for target URLs. Because of this weak validation, attackers could send malicious inputs to specific code paths that trigger the ShellExecuteExW function. This flaw allows threat actors to break out of the browser’s secure sandbox environment and execute arbitrary local or remote files on the victim’s machine without warning. Snippet from PatchDiff-AI report, pinpointing the vulnerable code path (Source: Akamai) Researchers first spotted the APT28 exploit in late January 2026. The threat actors used a specially crafted Windows Shortcut file (.lnk) that contained a hidden HTML payload at the end of its structure. When opened, the payload connects to an attacker-controlled domain (wellnesscaremed[.]com) to retrieve multistage malware. To ensure successful execution, the exploit leverages nested iframes and multiple Document Object Model (DOM) contexts. This technique allows attackers to bypass major Windows security defenses, specifically Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). By downgrading the security context, the malicious script forces the system to execute the dangerous ShellExecuteExW call. A user warning before the script is executed (Source: Akamai) While the observed campaign relies on malicious .lnk files, experts warn that any application embedding the MSHTML component could trigger this vulnerable code path. This means other delivery methods beyond traditional phishing are highly likely. To address CVE-2026-21513, Microsoft implemented stricter hyperlink protocol validation in the February 2026 security patch update. The fix ensures that standard protocols, such as HTTP, HTTPS, and FILE, are strictly contained and executed within the secure browser environment. They can no longer be passed directly to the ShellExecuteExW function, effectively neutralizing the exploit chain. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. TagsCYBER SECURITYCYBER SECURITY NEWS Divya Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 Cyber Security News Network Penetration Testing Checklist – 2025 Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component Checklist Web Server Penetration Testing Checklist – 2026 Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareAntispoofingANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramMore CVE/vulnerability TP-Link Router Flaws Allowed Attackers to Launch DoS Attacks and Cause Crashes cyber security Hackers Weaponize Venom Stealer via ClickFix Lures for Massive Data Exfiltration Botnet Phorpiex Botnet Fuels Ransomware, Sextortion, and Crypto-Theft Attacks CVE/vulnerability Attackers Abuse React2Shell Flaw to Compromise 700+ Next.js Hosts cyber security North Korea-Linked Hackers Hit Axios npm in Supply Chain Attack Cyber Security News OpenSSH 10.3 Released With Patch for Shell Injection and Other Security Flaws cyber security North Korea Uses GitHub as C2 in New LNK Phishing Campaign Cyber Security News Top 10 Best SaaS Security Posture Management (SSPM) Tools 2026 Related Articles TP-Link Router Flaws Allowed Attackers to Launch DoS Attacks and Cause Crashes CVE/Vulnerability April 3, 2026 Hackers Weaponize Venom Stealer via ClickFix Lures for Massive Data Exfiltration Cyber Security April 3, 2026 Phorpiex Botnet Fuels Ransomware, Sextortion, and Crypto-Theft Attacks Botnet April 3, 2026 Attackers Abuse React2Shell Flaw to Compromise 700+ Next.js Hosts CVE/Vulnerability April 3, 2026 North Korea-Linked Hackers Hit Axios npm in Supply Chain Attack Cyber Security April 3, 2026 Recent News TP-Link Router Flaws Allowed Attackers to Launch DoS Attacks and Cause Crashes Divya - April 3, 2026 Hackers Weaponize Venom Stealer via ClickFix Lures for Massive Data Exfiltration Mayura Kathir - April 3, 2026 Phorpiex Botnet Fuels Ransomware, Sextortion, and Crypto-Theft Attacks Mayura Kathir - April 3, 2026 Attackers Abuse React2Shell Flaw to Compromise 700+ Next.js Hosts Divya - April 3, 2026 North Korea-Linked Hackers Hit Axios npm in Supply Chain Attack Mayura Kathir - April 3, 2026 OpenSSH 10.3 Released With Patch for Shell Injection and Other Security Flaws Divya - April 3, 2026