APT28 Exploited CVE-2026-21513 MSHTML Zero-Day Before February 2026 Patch Tuesday

The Russia-linked state-sponsored threat actor APT28 (Fancy Bear) exploited CVE-2026-21513, a high-severity MSHTML Framework security feature bypass (CVSS 8.8), as a zero-day in real-world attacks before Microsoft patched it in February 2026 Patch Tuesday, according to new research from Akamai. The vulnerability allows an unauthorized network attacker to bypass a security feature in the MSHTML Framework — the rendering engine underlying Internet Explorer and legacy WebView components in Windows — and was reported jointly by Microsoft Threat Intelligence Center, Google Threat Intelligence Group, and Akamai. APT28's involvement flags this as a nation-state targeted attack vector that organizations running Windows should have already patched via the February 2026 cumulative update.

Key Takeaways

• CVE-2026-21513 (CVSS 8.8): MSHTML Framework security feature bypass; patched February 2026 Patch Tuesday — confirmed exploited as zero-day by APT28 (Russia GRU) before patch release
• Microsoft advisory credits MSTIC, MSRC, Google Threat Intelligence Group (GTIG), and Akamai for discovery; attack vector is network-accessible, no authentication required
• Organizations should verify February 2026 Windows cumulative updates are applied; MSHTML bypass can be chained with other exploits for code execution in targeted spear-phishing campaigns

Original source: The Hacker News / Akamai