Russia-Linked APT28 Exploited MSHTML Zero-Day Before Patch in High-Severity Bypass Flaw

In a concerning revelation, cybersecurity researchers at Akamai have discovered that Russia-linked APT28 exploited a previously unknown zero-day vulnerability in Microsoft's MSHTML (Internet Explorer Engine) component before the patch was released. The high-severity bypass flaw, identified as CVE-2026-21513, has been attributed to an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file.

The vulnerability, which received a CVSS score of 8.8, is a critical finding in the world of cybersecurity, as it allows attackers to bypass protections and potentially execute code. Microsoft has confirmed that CVE-2026-21513 was exploited in real-world zero-day attacks, crediting various security teams and researchers for reporting the issue.

Akamai's researchers used advanced tools like PatchDiff-AI to analyze the root cause of the issue and traced the vulnerability to hyperlink navigation logic in ieframe.dll. They found that poor URL validation allows attackers to reach ShellExecuteExW, enabling code execution outside the browser sandbox. The researchers reproduced the flaw using MSHTML components and identified an exploit sample linked to APT28's infrastructure.

The payload used in the attack leverages a specially crafted Windows Shortcut (.lnk) that embeds an HTML file directly after the standard LNK structure. When executed, it connects to wellnesscaremed[.]com, a domain attributed to APT28 and widely used in their multistage campaigns. The exploit relies on nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC).

The attack vector used by APT28 is particularly noteworthy, as it highlights the importance of robust URL validation and protection against HTML-based attacks. According to Akamai's report, "while the observed campaign leverages malicious .LNK files, the vulnerable code path can be triggered through any component embedding MSHTML." This suggests that additional delivery mechanisms beyond LNK-based phishing should be expected.

Microsoft addressed the issue by tightening hyperlink protocol validation to prevent file://, http://, and https:// links from reaching ShellExecuteExW. As with all high-severity vulnerabilities, it is essential for organizations to prioritize patching and keeping their systems up-to-date to prevent exploitation.

The incident serves as a reminder of the ongoing threat landscape in cybersecurity and the importance of staying vigilant. By understanding how attackers exploit vulnerabilities like CVE-2026-21513, we can better prepare our defenses against future attacks.

In conclusion, the discovery of CVE-2026-21513 highlights the critical need for robust security measures and timely patching. As hackers continue to evolve their tactics, it is essential for organizations and individuals to stay informed about emerging vulnerabilities and take proactive steps to protect themselves.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for more cybersecurity insights and updates.