top of page
Search

APT28 Exploited MSHTML 0-Day Before Microsoft Patch

  • Mar 2
  • 1 min read

Key Findings:


  • Russia-linked APT28 reportedly exploited MSHTML zero-day CVE-2026-21513 (CVSS 8.8) before Microsoft patched it in February 2026

  • The vulnerability is an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file

  • Akamai researchers found a malicious sample uploaded to VirusTotal on January 2026 tied to infrastructure linked to APT28

  • The exploit relies on nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC)


Background


Akamai found that the root cause of CVE-2026-21513 lies in the hyperlink navigation logic in ieframe.dll, where poor URL validation allows attacker input to reach ShellExecuteExW, enabling code execution outside the browser sandbox.


The payload uses a specially crafted Windows Shortcut (.lnk) that embeds an HTML file directly after the standard LNK structure. When executed, it connects to a domain attributed to APT28 and widely used in the campaign's multistage activity.


Exploitation


The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). By downgrading the security context, it triggers the vulnerable navigation flow, allowing attacker-controlled content to invoke ShellExecuteExW and execute code outside the browser sandbox.


Impact


While the observed campaign leverages malicious .LNK files, the vulnerable code path can be triggered through any component embedding MSHTML. Therefore, Akamai warns that additional delivery mechanisms beyond LNK-based phishing should be expected.


Mitigation


Microsoft addressed the issue by tightening hyperlink protocol validation to prevent file://, http://, and https:// links from reaching ShellExecuteExW.


Sources


  • https://securityaffairs.com/188782/security/russia-linked-apt28-exploited-mshtml-zero-day-cve-2026-21513-before-patch.html

  • https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html

  • https://x.com/securityaffairs/status/2028601543058915565

  • https://www.linkedin.com/posts/pierluigipaganini_russia-linked-apt28-exploited-mshtml-zero-day-activity-7434248152964067328-264z

  • https://www.cypro.se/2026/03/02/apt28-tied-to-cve-2026-21513-mshtml-0-day-exploited-before-feb-2026-patch-tuesday/

  • https://www.instagram.com/p/DVYiyW1Enw7/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page