Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed 59 vulnerabilities across Windows, Azure, Microsoft Office, and Visual Studio Code, including 5 Critical issues. NSFOCUS reported that six vulnerabilities were already being exploited in the wild, including MSHTML Framework Security Feature Bypass (CVE-2026-21513), Windows Shell Security Feature Bypass (CVE-2026-21510), Microsoft Word Security Feature Bypass (CVE-2026-21514), Desktop Window Manager EoP (CVE-2026-21519), Windows Remote Access Connection Manager DoS (CVE-2026-21525), and Windows Remote Desktop Service EoP (CVE-2026-21533).
Akamai attributed active exploitation of CVE-2026-21513 to APT28, reporting the flaw affects all supported Windows versions and enables a security feature bypass leading to arbitrary file execution (CVSS 8.8). Akamai’s root-cause analysis placed the issue in ieframe.dll, in the _AttemptShellExecuteForHlinkNavigate hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking ShellExecuteExW, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as document.doc.LnK.download) to APT28-associated infrastructure and described use of a crafted .lnk that embeds an HTML file and contacts wellnesscaremed[.]com as part of the exploitation chain prior to Microsoft’s February patch release.
Related Entities
Threat Actors
Organizations
Sources
Related Stories
APT28 Exploitation of MSHTML Zero-Day CVE-2026-21513 via Malicious HTML/LNK Files
Akamai reported that **Russia-linked APT28** likely exploited **CVE-2026-21513** (CVSS **8.8**), a high-severity **MSHTML** security feature bypass, prior to Microsoft’s fix in the **February 2026 Patch Tuesday** release. Microsoft confirmed the vulnerability was exploited as a **zero-day** in real-world attacks and credited **MSTIC**, **MSRC**, the **Office Product Group Security Team**, and **Google Threat Intelligence Group (GTIG)** for reporting it. The issue is described as an Internet Explorer/MSHTML security control bypass that can be triggered when a victim opens a **malicious HTML page** or **LNK (shortcut) file**, potentially enabling code execution by causing content to be handled by Windows shell mechanisms. Technical analysis from Akamai tied the root cause to hyperlink navigation logic in `ieframe.dll`, where insufficient URL validation can allow attacker-controlled input to reach `ShellExecuteExW`, enabling execution outside the browser sandbox. Akamai identified an exploit-related artifact (described as `document.doc.LnK.download`) uploaded to VirusTotal on **January 30, 2026**, and associated it with infrastructure linked to **APT28**; reporting also noted the sample had been flagged by **CERT-UA** in the context of APT28 activity. Overall, the reporting indicates active pre-patch exploitation and reinforces the need to prioritize patching and to monitor for delivery vectors involving HTML and LNK attachments/links consistent with APT28 tradecraft.
1 weeks ago
Actively Exploited Microsoft MSHTML Framework Zero-Day (CVE-2026-21513)
Microsoft issued an urgent fix for an actively exploited **MSHTML (Trident) security feature bypass** tracked as **CVE-2026-21513** (CVSS **8.8**), which allows attackers to circumvent Windows security prompts and protections without requiring elevated privileges. Reported exploitation relies on **social engineering** to get a user to open specially crafted content—such as malicious HTML or shortcut (`.lnk`) files—delivered via email attachments, links, or downloads; the weakness is described as a **protection mechanism failure** (CWE-693) in how Windows Shell and MSHTML handle embedded content and validation. CISA added **CVE-2026-21513** to the **Known Exploited Vulnerabilities (KEV)** catalog with required action to apply vendor mitigations/patches per Microsoft guidance and a remediation due date of **2026-03-03**, reinforcing that exploitation is occurring and prioritization is warranted. Separate reporting also described other Microsoft zero-days patched in the same timeframe—**Microsoft Word OLE mitigation bypass** (**CVE-2026-21514**) and a **Windows Desktop Window Manager (dwm.exe) privilege escalation** (**CVE-2026-21519**)—but those are distinct vulnerabilities and not part of the MSHTML-specific KEV entry.
1 months ago
Actively exploited Microsoft zero-days patched in February security updates
Microsoft disclosed and patched multiple **actively exploited** vulnerabilities as part of its February security updates, including a Microsoft Word security feature bypass tracked as **CVE-2026-21514**. The Word flaw (CVSS 7.8; CWE-807) allows attackers to bypass **Object Linking and Embedding (OLE)**-related mitigations by abusing how Word makes security decisions based on untrusted inputs; exploitation is described as requiring a crafted document and **user interaction** (e.g., opening a phishing-delivered file) while avoiding typical prompts such as Protected View or “Enable Content” warnings. Microsoft also addressed an in-the-wild exploited Windows **Desktop Window Manager (dwm.exe)** elevation-of-privilege vulnerability, **CVE-2026-21519** (CVSS 7.8), which can allow a **local** attacker to escalate from a standard user context to **SYSTEM**. The February update review also lists additional exploited issues patched in the same release, including security feature bypasses in **Windows Shell (CVE-2026-21510)** and **Internet Explorer (CVE-2026-21513)**, plus other exploited vulnerabilities (e.g., **Windows Remote Desktop Services EoP CVE-2026-21533**), underscoring that defenders should prioritize rapid deployment of the February fixes across affected Windows and Office estates.
1 months ago