MSHTML Framework 0-Day Exploited by APT28

An undisclosed flaw within MSHTML of Windows Explorer software has been maliciously used by cybercriminals on the internet. A flaw identified under tracking number CVE-2026-21513 enables intruders to circumvent safeguards and run unauthorized programs. Having an assessed severity level of eight on the Common Vulnerability Scoring System scale. It affects every version of Windows available.

Researchers at Akamai uncovered evidence suggesting that the Russian-backed cyber espionage team known as APT28 had been probing for vulnerabilities on Microsoft systems prior to when they issued an update in February of this year.

Researchers at Akamai utilized PatchDiff-AI, an advanced machine learning framework for autonomous fault identification.

Their investigation revealed that an issue is located within iframes. Specifically in the _AttemptShellExecuteForHlinkNavigate function of dll, this routine manages hyperlink navigation tasks.

Feature Details

CVE ID CVE-2026-21513

CVSS Score 8. 8 (High)

Affected Component MSHTML Framework (ieframe. dll)

Impact Security Feature Bypass, Arbitrary Code Execution

Patch Date February 2026 Patch Tuesday

A flaw arises due to inadequate verification of intended web addresses. This omission allows attackers' controlled inputs to access execution routes where ShellExecuteExW is invoked.

Thus, external resources may run beyond their designated web page's safety boundaries.

google

A snippet of the PatchDiff-AI report highlights an identified weak coding sequence (Reference: Akamai).

A snippet of PatchDiff-AI's report highlights an identified weak coding sequence (Reference: Akamai).

The researchers linked an insecure coding route to publicly available threat data, discovering a suspicious file on VirusTotal uploaded on January 30th, 2026.

The specimen is referred to as an article. Dr. The letter "lnk" represents an internet shortcut on various devices. The download operation is connected to an infrastructure related to group APT28. A customized Windows shortcut file is employed by the cargo. A shortcut link (. LNK) containing an embedded HTML document directly follows the conventional. LNK framework.

When executed, the LNK file establishes a connection with wellnesscaremed[]. The website "paranoia. com" is linked to APT28's complex hacking operations.

Akamai's study reveals that this vulnerability exploits nested iFrames along with numerous DOM context manipulations for boundary crossing purposes.

Before running the script, there's an alert for users (Reference: Akamai).

Before running the script, there's an alert for users (Reference: Akamai).

This method circumvents both the Web Protection Marker (MotM) and Microsoft's Internet Explorer Enhanced Security Control Panel settings.

Reducing the security level allows an intruder to activate the exploitable interface path and run malicious scripts.

In February of 2026, Microsoft resolved an issue present within their patch released on that date. A new solution enhances protocol checks more rigorously.

Ensures that specified protocols like file:\/\/, http:\/\/, and https:\/\/ operate in the browser environment instead of being sent directly to ShellExecuteExW.

Indicators of Compromise (IOCs)

The Akamai team has shared these IOC values as aids for cybersecurity professionals:

Name Indicator

document. doc. LnK aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa

Domain wellnesscaremed.com

MITRE Techniques T1204. 001, T1566. 001

Akamai cautions against anticipated cyber threats employing an identified tactic of malice. The LNK file's exploit is initiated when an embedded MSHTML component triggers it.

Entities should implement the February 2026 security patches to reduce threats and stay alert for other distribution channels.