Cero- day alert: APT28 explodes CVE-2026-21513 in MSHTML to jump the sandbox and there is already a patch of February 2026

Microsoft solved in the February 2026 patch a serious vulnerability in the MSHTML engine that was already being used in real environments, and the signs point to the possible involvement of APT28, the Russian State-sponsored group known for sophisticated operations against political and military objectives. The problem, identified as CVE-2026-21513(CVSS 8.8), is not a simple local failure: it allows malicious content to escape from the safe browser context and is executed by the operating system.

In his notice, Microsoft described vulnerability as a failure in the protections of the MSHTML Framework that could be exploited through hyperlink navigation manipulation. The manufacturer further confirmed that the failure had been exploited as a zeroday in real attacks and thanked several intelligence and response teams, including MSTIC and GTIG. The correction guide is available on the official Microsoft page: msrc.microsoft.com / update-guide / vulnerability / CVE-2026-21513.

Technical analyses published by security firms show how the error lies in the module in charge of processing link navigation (ieframe.dll). Due to insufficient validation of the target URL, attacker-controlled entries can reach code routes that invoke the API of the system in charge of launching resources outside the browser, specifically ShellExecuteExW. This invocation allows you to run local or remote resources with user context privileges, thus nullifying the barriers that the browser sandbox normally imposes.

The tactic observed in the campaign that related to APT28 was ingenious and relatively simple at the same time: the attackers prepared direct access to manipulated Windows (.LNK) that include an HTML file immediately after the standard structure of the LNK. By opening this direct access, the management behavior of the Windows browser and Shell is forced to process the embedded content, and through nested iframas and the exploitation of multiple DOM contexts, it is possible to get areas of trust mixed with content controlled by the attacker. The result is a context jump that allows you to run code out of the browser.

Akamai, who has published a comprehensive analysis of the technique, also identified a malicious device uploaded to VirusTotal on January 30, 2026 related to infrastructure attributed to APT28. This pattern fits with previous campaigns of the actor and with domains used in multiple stages of infection; for example, the use of the wellnesscaremed [.] com domain has been reported in this operation. The Akamai report provides technical details and can be read here: Akamai - Inside the fix: CVE-2026-21513, and the identified artifact appears in VirusTotal in this link: Total (sample).

Beyond technical curiosity, there are two reasons why this failure alarmed security teams: first, the ability to bypass security marks such as the Mark-of-the-Web (MotW) and the enhanced security settings of Internet Explorer (IE ESC), which degrade the confidence context that Windows applies to downloaded or open files from the network; second, vulnerability can be activated from any component that integrates MSHTML, not only from those LNK direct access, so delivery vectors are varied and could include embedded, MSHML web pages that are used, or web pages that are used. To understand why the MotW matters in these scenarios, a good explanatory resource is this article on the subject: Red Canary - Mark-of-the-Web bypass, and the information on the enhanced configuration of Internet Explorer is found in the Microsoft documentation: IE ESC - Microsoft Docs.

If we translate this into concrete recommendations, the first and most urgent is to install the official patches: to park Windows systems affected by the February 2026 update eliminates the known operating window and is the most effective step to mitigate the risk. Microsoft published the correction and its technical details in its vulnerability response center, so IT teams should prioritize this update: Microsoft Guide to CVE-2026-21513.

In parallel, the operational and detection defences should be adjusted. It is appropriate to restrict the automatic opening of direct access (.LNK) and to treat with caution the HTML files received by mail or downloaded, to tighten the rules of filtering of mail and download, and to monitor the connections to suspicious domains that have appeared in the campaign. For response teams, review telemetry related to calls to ShellExecuteExW, processes that launch browsers from unusual contexts and chained payloads can be useful for detecting commitments. It is also advisable to check EDR / AV solutions for the detection of similar samples and to validate the existence of commitment indicators present in public reports.

Finally, it must be remembered that APT28 is not a new actor and its modus operandi has often included speed-phishing campaigns and failure exploitation in widely deployed products. In order to contextualize who this group is and why its involvement increases the risk, the actors' tab can be found at the MITRE ATT & CK base: MITRE ATT & CK - APT28. The collaboration between response teams and intelligence companies was key to identifying and correcting the failure before it expanded, but the existence of linked samples and domains makes it clear that the threat was active and that patch management and good digital hygiene practices remain the most reliable defense.

If you manage Windows systems, prioritize the update, educate users not to open links or suspicious files, and coordinate with your security team the search for signals that may have tried to exploit this vulnerability in your environment.