Actively Exploited Microsoft MSHTML Framework Zero-Day (CVE-2026-21513)
Microsoft issued an urgent fix for an actively exploited MSHTML (Trident) security feature bypass tracked as CVE-2026-21513 (CVSS 8.8), which allows attackers to circumvent Windows security prompts and protections without requiring elevated privileges. Reported exploitation relies on social engineering to get a user to open specially crafted content—such as malicious HTML or shortcut (.lnk) files—delivered via email attachments, links, or downloads; the weakness is described as a protection mechanism failure (CWE-693) in how Windows Shell and MSHTML handle embedded content and validation.
CISA added CVE-2026-21513 to the Known Exploited Vulnerabilities (KEV) catalog with required action to apply vendor mitigations/patches per Microsoft guidance and a remediation due date of 2026-03-03, reinforcing that exploitation is occurring and prioritization is warranted. Separate reporting also described other Microsoft zero-days patched in the same timeframe—Microsoft Word OLE mitigation bypass (CVE-2026-21514) and a Windows Desktop Window Manager (dwm.exe) privilege escalation (CVE-2026-21519)—but those are distinct vulnerabilities and not part of the MSHTML-specific KEV entry.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-21513 to the KEV catalog
CISA added CVE-2026-21513 to its Known Exploited Vulnerabilities catalog, confirming federal agencies should prioritize remediation. The KEV entry set a remediation deadline of March 3, 2026 and directed organizations to apply Microsoft's mitigations.
Microsoft releases Patch Tuesday fix for CVE-2026-21513
On February 10, 2026, Microsoft shipped security updates addressing CVE-2026-21513 for supported Windows versions including Windows 10, Windows 11, and multiple Windows Server editions. The patch remediated the MSHTML/Windows Shell handling issue that could enable execution without proper security validation.
Microsoft discloses CVE-2026-21513 as an exploited MSHTML zero-day
Microsoft identified CVE-2026-21513 in the MSHTML (Trident) framework as a security feature bypass vulnerability and stated it had been publicly disclosed and actively exploited in the wild before a fix was available. The flaw could let attackers bypass Windows execution prompts by luring users into opening crafted HTML or malicious shortcut files.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
MSHTML Framework 0-Day Vulnerability Let Attackers Security Feature over Network
cybersecuritynews.com
Open sourceAdd Updated KEV Files for 2026-02-11 · cisagov/kev-data@af6648e · GitHub
github.com
Open sourceCVE-2026-21513 MSHTML Security Feature Bypass: Patch and Harden Now | Windows Forum
windowsforum.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed **59 vulnerabilities** across Windows, Azure, Microsoft Office, and Visual Studio Code, including **5 Critical** issues. NSFOCUS reported that **six vulnerabilities were already being exploited in the wild**, including **MSHTML Framework Security Feature Bypass (CVE-2026-21513)**, **Windows Shell Security Feature Bypass (CVE-2026-21510)**, **Microsoft Word Security Feature Bypass (CVE-2026-21514)**, **Desktop Window Manager EoP (CVE-2026-21519)**, **Windows Remote Access Connection Manager DoS (CVE-2026-21525)**, and **Windows Remote Desktop Service EoP (CVE-2026-21533)**. Akamai attributed active exploitation of **CVE-2026-21513** to **APT28**, reporting the flaw affects all supported Windows versions and enables a **security feature bypass leading to arbitrary file execution** (CVSS **8.8**). Akamai’s root-cause analysis placed the issue in `ieframe.dll`, in the `_AttemptShellExecuteForHlinkNavigate` hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking `ShellExecuteExW`, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as `document.doc.LnK.download`) to APT28-associated infrastructure and described use of a crafted **`.lnk`** that embeds an HTML file and contacts **`wellnesscaremed[.]com`** as part of the exploitation chain prior to Microsoft’s February patch release.
Mar 22, 2026
CISA Adds Actively Exploited Microsoft Zero-Days to KEV Catalog
CISA added **six Microsoft zero-day vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** after evidence of **active exploitation in the wild**, triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch agencies under **BOD 22-01** and prompting broader patch prioritization across enterprises. The vulnerabilities span multiple Microsoft components, including **MSHTML** and **Microsoft Word**, and are positioned as high-risk initial access and post-exploitation enablers commonly leveraged in phishing-driven intrusion chains and follow-on activity such as lateral movement and ransomware operations. Microsoft’s Security Update Guide entries provide technical details for several of the KEV-listed issues, including **CVE-2026-21513** (*MSHTML Framework Security Feature Bypass*, CVSS 8.8, `AV:N/AC:L/PR:N/UI:R`) and **CVE-2026-21514** (*Microsoft Word Security Feature Bypass*, CVSS 7.8, `AV:L/AC:L/PR:N/UI:R`), both consistent with document/web-content delivery scenarios. Separately, Microsoft also patched **CVE-2026-21525** (*Windows Remote Access Connection Manager / RasMan Denial of Service*, CVSS 6.2, `AV:L/AC:L/PR:N/UI:N`), described as a **NULL pointer dereference** that can be triggered by a local, unauthenticated attacker to crash RasMan and disrupt remote connectivity; reporting indicates exploitation was detected prior to disclosure and fixes were shipped via Patch Tuesday updates for multiple Windows and Windows Server versions.
Mar 21, 2026
Actively exploited Microsoft zero-days patched in February security updates
Microsoft disclosed and patched multiple **actively exploited** vulnerabilities as part of its February security updates, including a Microsoft Word security feature bypass tracked as **CVE-2026-21514**. The Word flaw (CVSS 7.8; CWE-807) allows attackers to bypass **Object Linking and Embedding (OLE)**-related mitigations by abusing how Word makes security decisions based on untrusted inputs; exploitation is described as requiring a crafted document and **user interaction** (e.g., opening a phishing-delivered file) while avoiding typical prompts such as Protected View or “Enable Content” warnings. Microsoft also addressed an in-the-wild exploited Windows **Desktop Window Manager (dwm.exe)** elevation-of-privilege vulnerability, **CVE-2026-21519** (CVSS 7.8), which can allow a **local** attacker to escalate from a standard user context to **SYSTEM**. The February update review also lists additional exploited issues patched in the same release, including security feature bypasses in **Windows Shell (CVE-2026-21510)** and **Internet Explorer (CVE-2026-21513)**, plus other exploited vulnerabilities (e.g., **Windows Remote Desktop Services EoP CVE-2026-21533**), underscoring that defenders should prioritize rapid deployment of the February fixes across affected Windows and Office estates.
Mar 21, 2026