A security vulnerability in Microsoft Windows, tracked as CVE-2026-21513, may have been actively exploited by the Russia-linked cyber espionage group APT28 before Microsoft released an official fix. This information comes from new research published by Akamai, a major web infrastructure and cybersecurity firm.
The flaw affects the MSHTML Framework, a core Windows component used to render HTML content. Microsoft addressed the issue in its February 2026 Patch Tuesday security updates. However, evidence suggests attackers were already using the vulnerability as a zero-day, meaning it was exploited before a patch was available.
CVE-2026-21513 has a CVSS score of 8.8, placing it in the high-severity category. According to Microsoft, the issue is a security feature bypass caused by a protection mechanism failure in the MSHTML Framework.
Microsoft explained that the vulnerability allows an unauthorized attacker to bypass built-in security protections over a network. In simple terms, the flaw makes it possible for malicious content to run in a less restricted security environment than intended.
The vulnerability was officially reported by several teams, including the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), the Office Product Group Security Team, and the Google Threat Intelligence Group. Microsoft also confirmed that the issue was actively exploited in real-world attacks.
In a typical attack scenario, a threat actor tricks a victim into opening a malicious HTML file or Windows shortcut (LNK) file. These files may be delivered through phishing emails, fake links, or malicious attachments.
Once the victim opens the file, it abuses how Windows and the browser handle HTML content. Instead of staying inside a secure browser sandbox, the content is executed directly by the operating system. This allows attackers to bypass important protections and potentially run malicious code on the system.
At the heart of the vulnerability is a Windows library called ieframe.dll, which controls how hyperlinks are processed. Akamai researchers found that this component does not properly validate target URLs. As a result, attacker-controlled input can reach dangerous code paths that call a Windows function known as ShellExecuteExW.
This behavior allows local or remote resources to run outside the browser’s normal security boundaries, significantly increasing the risk to users.
Although Microsoft did not publicly name the attackers, Akamai uncovered strong indicators linking the exploitation to APT28, a well-known state-sponsored hacking group associated with Russian intelligence.
Akamai identified a malicious file uploaded to VirusTotal on January 30, 2026. The file was tied to infrastructure that has previously been linked to APT28 operations.
The same malware sample was also flagged earlier by CERT-UA, Ukraine’s national computer emergency response team. CERT-UA had associated the artifact with APT28 activity exploiting a different Microsoft Office vulnerability, CVE-2026-21509, which has a CVSS score of 7.8.
This overlap suggests a coordinated campaign using multiple vulnerabilities to gain access to targeted systems.
According to Akamai security researcher Maor Dahan, the attack uses a specially crafted Windows shortcut (LNK) file. The LNK file contains an embedded HTML file placed directly after the standard shortcut structure.
When opened, the shortcut connects to a malicious domain, wellnesscaremed[.]com, which Akamai attributes to APT28. This domain has been heavily used in the group’s multi-stage attack campaigns.
The embedded HTML relies on nested iframes and multiple DOM contexts to confuse trust boundaries within Windows. This technique allows the attacker to downgrade the security context and bypass multiple defenses.
One of the most concerning aspects of CVE-2026-21513 is its ability to bypass key Windows protections, including:
Mark-of-the-Web (MotW) – a security feature that warns users about files downloaded from the internet
Internet Explorer Enhanced Security Configuration (IE ESC) – designed to reduce attack surface in enterprise environments
By bypassing these protections, attackers can execute malicious code outside the browser sandbox, making detection and prevention much harder.
Akamai warned that while the observed attacks used malicious LNK files, the vulnerable code path exists in any application or component that embeds MSHTML. This means attackers are not limited to shortcut files alone.
Other delivery methods, such as embedded HTML in documents or applications, could also be used to exploit the flaw. As a result, organizations should expect additional attack techniques beyond phishing with LNK files.
All users and enterprises should ensure that the February 2026 Microsoft security updates are installed as soon as possible. Systems that remain unpatched are at high risk, especially in targeted espionage or government-related environments.
Security teams should also monitor for suspicious LNK files, unexpected HTML execution, and outbound connections to known malicious domains associated with APT28.
CVE-2026-21513 highlights how advanced threat actors like APT28 continue to exploit deep, trusted components of the Windows operating system. By abusing MSHTML and shortcut handling, attackers can bypass multiple layers of defense with a single exploit.
This case reinforces the importance of timely patching, strong email security, and continuous threat monitoring. As attackers evolve their techniques, defenders must stay equally vigilant to protect critical systems and sensitive data.
Interesting Article : Cisco SD-WAN Zero-Day CVE-2026-20127 Actively Exploited Since 2023