A not too long ago disclosed security flaw patched by Microsoft might have been exploited by the Russia-linked state-sponsored menace actor often known as APT28, in keeping with new findings from Akamai.
The vulnerability in query is CVE-2026-21513 (CVSS rating: 8.8), a high-severity security function bypass affecting the MSHTML Framework.
“Safety mechanism failure in MSHTML Framework permits an unauthorized attacker to bypass a security function over a community,” Microsoft famous in its advisory for the flaw. It was fastened by the Home windows maker as a part of its February 2026 Patch Tuesday replace.
Nevertheless, the tech large additionally famous that the vulnerability had been exploited as a zero-day in real-world assaults, crediting the Microsoft Menace Intelligence Middle (MSTIC), Microsoft Safety Response Middle (MSRC), and Workplace Product Group Safety Crew, together with Google Menace Intelligence Group (GTIG), for reporting it.
In a hypothetical assault state of affairs, a menace actor might weaponize the vulnerability by persuading a sufferer to open a malicious HTML file or shortcut (LNK) file delivered by a hyperlink or as an e mail attachment.
As soon as the crafted file is opened, it manipulates browser and Home windows Shell dealing with, inflicting the content material to be executed by the working system, Microsoft famous. This, in flip, permits the attacker to bypass security options and probably obtain code execution.
Whereas the corporate has not formally shared any particulars in regards to the zero-day exploitation effort, Akamai mentioned it recognized a malicious artifact that was uploaded to VirusTotal on January 30, 2026, and is related to infrastructure linked to APT28.
It is value noting that the pattern was flagged by the Pc Emergency Response Crew of Ukraine (CERT-UA) early final month in reference to APT28’s assaults exploiting one other security flaw in Microsoft Workplace (CVE-2026-21509, CVSS rating: 7.8).
The net infrastructure firm mentioned CVE-2026-21513 is rooted within the logic inside “ieframe.dll” that handles hyperlink navigation, and that it is the results of inadequate validation of the goal URL, which permits attacker-controlled enter to achieve code paths that invoke ShellExecuteExW. This, in flip, permits execution of native or distant assets exterior the meant browser security context.
“This payload entails a specifically crafted Home windows Shortcut (LNK) that embeds an HTML file instantly after the usual LNK construction,” security researcher Maor Dahan mentioned. “The LNK file initiates communication with the area wellnesscaremed[.]com, which is attributed to APT28 and has been in in depth use for the marketing campaign’s multistage payloads. The exploit leverages nested iframes and a number of DOM contexts to control belief boundaries.”
Akamai famous that the approach makes it potential for an attacker to bypass Mark-of-the-Net (MotW) and Web Explorer Enhanced Safety Configuration (IE ESC), resulting in a downgrade of the security context and finally facilitating the execution of malicious code exterior of the browser sandbox by way of ShellExecuteExW.
“Whereas the noticed marketing campaign leverages malicious LNK recordsdata, the weak code path may be triggered by any element embedding MSHTML,” the corporate added. “Due to this fact, extra supply mechanisms past LNK-based phishing ought to be anticipated.”
