Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed 59 vulnerabilities across Windows, Azure, Microsoft Office, and Visual Studio Code, including 5 Critical issues. NSFOCUS reported that six vulnerabilities were already being exploited in the wild, including MSHTML Framework Security Feature Bypass (CVE-2026-21513), Windows Shell Security Feature Bypass (CVE-2026-21510), Microsoft Word Security Feature Bypass (CVE-2026-21514), Desktop Window Manager EoP (CVE-2026-21519), Windows Remote Access Connection Manager DoS (CVE-2026-21525), and Windows Remote Desktop Service EoP (CVE-2026-21533).
Akamai attributed active exploitation of CVE-2026-21513 to APT28, reporting the flaw affects all supported Windows versions and enables a security feature bypass leading to arbitrary file execution (CVSS 8.8). Akamai’s root-cause analysis placed the issue in ieframe.dll, in the _AttemptShellExecuteForHlinkNavigate hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking ShellExecuteExW, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as document.doc.LnK.download) to APT28-associated infrastructure and described use of a crafted .lnk that embeds an HTML file and contacts wellnesscaremed[.]com as part of the exploitation chain prior to Microsoft’s February patch release.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
NSFOCUS issues advisory urging prioritization of February exploited CVEs
NSFOCUS CERT published an advisory summarizing Microsoft's February 2026 security updates and highlighted CVE-2026-21513 as one of the in-the-wild exploited vulnerabilities requiring urgent attention. The notice recommended prompt patching and verification of update installation across affected Microsoft products.
Akamai publishes technical analysis attributing CVE-2026-21513 to APT28
Akamai researchers disclosed technical details of CVE-2026-21513 exploitation, including the root cause in ieframe.dll, the use of nested iframes and multiple DOM contexts, and the bypass of Mark of the Web and Internet Explorer Enhanced Security Configuration. The analysis also described use of PatchDiff-AI and correlation with a malicious sample on VirusTotal tied to APT28 infrastructure.
CISA adds six February zero-days to KEV catalog
On 2026-02-11, CISA added the six actively exploited vulnerabilities addressed in Microsoft's February Patch Tuesday updates, including CVE-2026-21513, to its Known Exploited Vulnerabilities catalog. The agency ordered Federal Civilian Executive Branch agencies to remediate the flaws by 2026-03-03.
Microsoft releases February 2026 Patch Tuesday fixes for CVE-2026-21513
On 2026-02-11, Microsoft released its February security updates, patching 59 vulnerabilities across multiple products, including the MSHTML security feature bypass CVE-2026-21513. Microsoft reported CVE-2026-21513 among six vulnerabilities already exploited in the wild and updated hyperlink protocol validation to prevent unsafe execution outside the browser context.
APT28 exploits MSHTML zero-day CVE-2026-21513 in the wild
A zero-day in Microsoft's MSHTML framework, CVE-2026-21513, was exploited before a patch was available. Akamai attributed the activity to the Russian state-sponsored group APT28, which used a crafted .lnk file and infrastructure including wellnesscaremed[.]com to trigger arbitrary file or code execution and bypass browser security boundaries.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Microsoft’s February Security Update of High-Risk Vulnerability Notice for Multiple Products - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
nsfocusglobal.com
Open sourceMSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday Update
cybersecuritynews.com
Open sourceMicrosoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Exploitation of MSHTML Zero-Day CVE-2026-21513 via Malicious HTML/LNK Files
Akamai reported that **Russia-linked APT28** likely exploited **CVE-2026-21513** (CVSS **8.8**), a high-severity **MSHTML** security feature bypass, prior to Microsoft’s fix in the **February 2026 Patch Tuesday** release. Microsoft confirmed the vulnerability was exploited as a **zero-day** in real-world attacks and credited **MSTIC**, **MSRC**, the **Office Product Group Security Team**, and **Google Threat Intelligence Group (GTIG)** for reporting it. The issue is described as an Internet Explorer/MSHTML security control bypass that can be triggered when a victim opens a **malicious HTML page** or **LNK (shortcut) file**, potentially enabling code execution by causing content to be handled by Windows shell mechanisms. Technical analysis from Akamai tied the root cause to hyperlink navigation logic in `ieframe.dll`, where insufficient URL validation can allow attacker-controlled input to reach `ShellExecuteExW`, enabling execution outside the browser sandbox. Akamai identified an exploit-related artifact (described as `document.doc.LnK.download`) uploaded to VirusTotal on **January 30, 2026**, and associated it with infrastructure linked to **APT28**; reporting also noted the sample had been flagged by **CERT-UA** in the context of APT28 activity. Overall, the reporting indicates active pre-patch exploitation and reinforces the need to prioritize patching and to monitor for delivery vectors involving HTML and LNK attachments/links consistent with APT28 tradecraft.
Mar 28, 2026
Actively Exploited Microsoft MSHTML Framework Zero-Day (CVE-2026-21513)
Microsoft issued an urgent fix for an actively exploited **MSHTML (Trident) security feature bypass** tracked as **CVE-2026-21513** (CVSS **8.8**), which allows attackers to circumvent Windows security prompts and protections without requiring elevated privileges. Reported exploitation relies on **social engineering** to get a user to open specially crafted content—such as malicious HTML or shortcut (`.lnk`) files—delivered via email attachments, links, or downloads; the weakness is described as a **protection mechanism failure** (CWE-693) in how Windows Shell and MSHTML handle embedded content and validation. CISA added **CVE-2026-21513** to the **Known Exploited Vulnerabilities (KEV)** catalog with required action to apply vendor mitigations/patches per Microsoft guidance and a remediation due date of **2026-03-03**, reinforcing that exploitation is occurring and prioritization is warranted. Separate reporting also described other Microsoft zero-days patched in the same timeframe—**Microsoft Word OLE mitigation bypass** (**CVE-2026-21514**) and a **Windows Desktop Window Manager (dwm.exe) privilege escalation** (**CVE-2026-21519**)—but those are distinct vulnerabilities and not part of the MSHTML-specific KEV entry.
Mar 21, 2026
Actively exploited Microsoft zero-days patched in February security updates
Microsoft disclosed and patched multiple **actively exploited** vulnerabilities as part of its February security updates, including a Microsoft Word security feature bypass tracked as **CVE-2026-21514**. The Word flaw (CVSS 7.8; CWE-807) allows attackers to bypass **Object Linking and Embedding (OLE)**-related mitigations by abusing how Word makes security decisions based on untrusted inputs; exploitation is described as requiring a crafted document and **user interaction** (e.g., opening a phishing-delivered file) while avoiding typical prompts such as Protected View or “Enable Content” warnings. Microsoft also addressed an in-the-wild exploited Windows **Desktop Window Manager (dwm.exe)** elevation-of-privilege vulnerability, **CVE-2026-21519** (CVSS 7.8), which can allow a **local** attacker to escalate from a standard user context to **SYSTEM**. The February update review also lists additional exploited issues patched in the same release, including security feature bypasses in **Windows Shell (CVE-2026-21510)** and **Internet Explorer (CVE-2026-21513)**, plus other exploited vulnerabilities (e.g., **Windows Remote Desktop Services EoP CVE-2026-21533**), underscoring that defenders should prioritize rapid deployment of the February fixes across affected Windows and Office estates.
Mar 21, 2026