Actively Exploited Microsoft MSHTML Framework Zero-Day (CVE-2026-21513)
Microsoft issued an urgent fix for an actively exploited MSHTML (Trident) security feature bypass tracked as CVE-2026-21513 (CVSS 8.8), which allows attackers to circumvent Windows security prompts and protections without requiring elevated privileges. Reported exploitation relies on social engineering to get a user to open specially crafted content—such as malicious HTML or shortcut (.lnk) files—delivered via email attachments, links, or downloads; the weakness is described as a protection mechanism failure (CWE-693) in how Windows Shell and MSHTML handle embedded content and validation.
CISA added CVE-2026-21513 to the Known Exploited Vulnerabilities (KEV) catalog with required action to apply vendor mitigations/patches per Microsoft guidance and a remediation due date of 2026-03-03, reinforcing that exploitation is occurring and prioritization is warranted. Separate reporting also described other Microsoft zero-days patched in the same timeframe—Microsoft Word OLE mitigation bypass (CVE-2026-21514) and a Windows Desktop Window Manager (dwm.exe) privilege escalation (CVE-2026-21519)—but those are distinct vulnerabilities and not part of the MSHTML-specific KEV entry.
Related Entities
Organizations
Sources
Related Stories
Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed **59 vulnerabilities** across Windows, Azure, Microsoft Office, and Visual Studio Code, including **5 Critical** issues. NSFOCUS reported that **six vulnerabilities were already being exploited in the wild**, including **MSHTML Framework Security Feature Bypass (CVE-2026-21513)**, **Windows Shell Security Feature Bypass (CVE-2026-21510)**, **Microsoft Word Security Feature Bypass (CVE-2026-21514)**, **Desktop Window Manager EoP (CVE-2026-21519)**, **Windows Remote Access Connection Manager DoS (CVE-2026-21525)**, and **Windows Remote Desktop Service EoP (CVE-2026-21533)**. Akamai attributed active exploitation of **CVE-2026-21513** to **APT28**, reporting the flaw affects all supported Windows versions and enables a **security feature bypass leading to arbitrary file execution** (CVSS **8.8**). Akamai’s root-cause analysis placed the issue in `ieframe.dll`, in the `_AttemptShellExecuteForHlinkNavigate` hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking `ShellExecuteExW`, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as `document.doc.LnK.download`) to APT28-associated infrastructure and described use of a crafted **`.lnk`** that embeds an HTML file and contacts **`wellnesscaremed[.]com`** as part of the exploitation chain prior to Microsoft’s February patch release.
1 weeks ago
CISA Adds Actively Exploited Microsoft Zero-Days to KEV Catalog
CISA added **six Microsoft zero-day vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** after evidence of **active exploitation in the wild**, triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch agencies under **BOD 22-01** and prompting broader patch prioritization across enterprises. The vulnerabilities span multiple Microsoft components, including **MSHTML** and **Microsoft Word**, and are positioned as high-risk initial access and post-exploitation enablers commonly leveraged in phishing-driven intrusion chains and follow-on activity such as lateral movement and ransomware operations. Microsoft’s Security Update Guide entries provide technical details for several of the KEV-listed issues, including **CVE-2026-21513** (*MSHTML Framework Security Feature Bypass*, CVSS 8.8, `AV:N/AC:L/PR:N/UI:R`) and **CVE-2026-21514** (*Microsoft Word Security Feature Bypass*, CVSS 7.8, `AV:L/AC:L/PR:N/UI:R`), both consistent with document/web-content delivery scenarios. Separately, Microsoft also patched **CVE-2026-21525** (*Windows Remote Access Connection Manager / RasMan Denial of Service*, CVSS 6.2, `AV:L/AC:L/PR:N/UI:N`), described as a **NULL pointer dereference** that can be triggered by a local, unauthenticated attacker to crash RasMan and disrupt remote connectivity; reporting indicates exploitation was detected prior to disclosure and fixes were shipped via Patch Tuesday updates for multiple Windows and Windows Server versions.
1 months ago
Actively exploited Microsoft zero-days patched in February security updates
Microsoft disclosed and patched multiple **actively exploited** vulnerabilities as part of its February security updates, including a Microsoft Word security feature bypass tracked as **CVE-2026-21514**. The Word flaw (CVSS 7.8; CWE-807) allows attackers to bypass **Object Linking and Embedding (OLE)**-related mitigations by abusing how Word makes security decisions based on untrusted inputs; exploitation is described as requiring a crafted document and **user interaction** (e.g., opening a phishing-delivered file) while avoiding typical prompts such as Protected View or “Enable Content” warnings. Microsoft also addressed an in-the-wild exploited Windows **Desktop Window Manager (dwm.exe)** elevation-of-privilege vulnerability, **CVE-2026-21519** (CVSS 7.8), which can allow a **local** attacker to escalate from a standard user context to **SYSTEM**. The February update review also lists additional exploited issues patched in the same release, including security feature bypasses in **Windows Shell (CVE-2026-21510)** and **Internet Explorer (CVE-2026-21513)**, plus other exploited vulnerabilities (e.g., **Windows Remote Desktop Services EoP CVE-2026-21533**), underscoring that defenders should prioritize rapid deployment of the February fixes across affected Windows and Office estates.
1 months ago