A recently disclosed vulnerability, CVE-2026-21513, a high-severity MSHTML Framework security feature bypass (CVSS 8.8), was patched by Microsoft and fixed as part of the February 2026 Patch Tuesday update, after being exploited as a zero-day in real-world attacks. According to Akamai, the vulnerability had been weaponised by a Russia-linked state-sponsored threat actor known as APT28 (claims), with a malicious artifact uploaded to VirusTotal on 30 January 2026 linked to infrastructure associated with the group.
The exploit involves a specially crafted Windows Shortcut (LNK) that embeds an HTML file and can be triggered by opening a malicious HTML file or a link delivered via email, enabling code execution outside the browser sandbox and bypassing several security controls. Akamai notes the approach uses nested iframes and multiple DOM contexts to manipulate trust boundaries, with domain wellnesscaremed[.]com attributed to APT28 and used in multistage payloads.
The report also highlights that VOLT by MSHTML’s ieframe[.]dll handling of hyperlink navigation and insufficient URL validation allow input to reach code paths that execute via ShellExecuteExW, potentially compromising the system. CERT-UA had flagged related activity earlier in connection with APT28 exploits targeting another Microsoft Office flaw (CVE-2026-21509).