Ethical Hacking News
APT28 Exploits MSHTML 0-Day Vulnerability CVE-2026-21513 in Pre-Patch Tuesday Attack
Threat actors linked to APT28 exploited a newly disclosed zero-day vulnerability (CVE-2026-21513) in Microsoft's MSHTML Framework.The vulnerability has a CVSS score of 8.8 and was patched by Microsoft as part of its February 2026 Patch Tuesday update.Apt28 used the exploit to bypass Mark-of-the-Web and Internet Explorer Enhanced Security Configuration, allowing malicious code to execute outside the browser sandbox.The vulnerability is related to a Windows Shortcut (LNK) file embedded with an HTML file, which initiates communication with APT28's domain.Organizations are urged to patch this vulnerability immediately to minimize the risk of exploitation by APT28 and other threat actors.
Threat Intelligence Community Sounds Alarm on Newly Disclosed Zero-Day Exploit by APT28 Group
The cybersecurity landscape has been shaken once again by the revelation of a newly disclosed zero-day vulnerability, CVE-2026-21513, which was allegedly exploited by the Russia-linked state-sponsored threat actor known as APT28 before Microsoft released its February 2026 Patch Tuesday update. This latest finding from Akamai serves as a stark reminder of the ever-evolving nature of cybersecurity threats and the importance of timely patching.
According to the context data provided, CVE-2026-21513 is a high-severity security feature bypass affecting the MSHTML Framework, with a CVSS score of 8.8. This vulnerability was officially patched by Microsoft as part of its February 2026 Patch Tuesday update, however, Akamai has reported that APT28 was able to exploit this zero-day in real-world attacks.
The technical details behind CVE-2026-21513 reveal that the vulnerability is rooted in the logic within "ieframe.dll" that handles hyperlink navigation. In essence, the payload involves a specially crafted Windows Shortcut (LNK) file embedded with an HTML file immediately after the standard LNK structure, which initiates communication with a domain attributed to APT28 and has been extensively used for the campaign's multistage payloads.
The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries. This technique enables attackers to bypass Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC), leading to a downgrade of the security context and ultimately facilitating the execution of malicious code outside of the browser sandbox via ShellExecuteExW.
While Microsoft has not officially shared any details about the zero-day exploitation effort, Akamai identified a malicious artifact that was uploaded to VirusTotal on January 30, 2026, and is associated with infrastructure linked to APT28. This finding further solidifies the connection between APT28 and CVE-2026-21513.
Furthermore, it's worth noting that this vulnerability has been flagged by the Computer Emergency Response Team of Ukraine (CERT-UA) in connection with APT28's attacks exploiting another security flaw in Microsoft Office (CVE-2026-21509, CVSS score: 7.8).
In light of these developments, organizations are urged to remain vigilant and take immediate action to patch this vulnerability. By doing so, they can minimize the risk of exploitation by APT28 and other threat actors.
Moreover, it's crucial to recognize that this incident highlights the importance of robust cybersecurity measures, timely patching, and the need for continuous monitoring.
As cybersecurity experts continue to uncover new threats and vulnerabilities, it's essential to stay informed and adapt to the ever-changing landscape. By staying vigilant and proactive, organizations can safeguard their systems and data against emerging threats like CVE-2026-21513.
Related Information:
https://www.ethicalhackingnews.com/articles/APT28-Exploits-MSHTML-0-Day-Vulnerability-CVE-2026-21513-in-Pre-Patch-Tuesday-Attack-ehn.shtml
Published: Mon Mar 2 06:29:50 2026 by llama3.2 3B Q4_K_M
