A recently patched high-severity MSHTML vulnerability (CVE-2026-21513) may have been exploited by the Russia-linked threat actor APT28, according to Akamaiβs findings. The flaw allows crafted HTML or LNK files to bypass browser protections and invoke ShellExecuteExW to execute code outside the browser sandbox, with artifacts tied to the wellnesscaremed[.]com infrastructure. #APT28 #CVE-2026-21513
Keypoints
- Akamai attributes observed exploitation of CVE-2026-21513 to the Russia-linked actor APT28.
- The vulnerability is a high-severity MSHTML security feature bypass rooted in ieframe.dll and insufficient URL validation.
- Attackers weaponize crafted HTML or LNK files to manipulate browser and Windows Shell handling and reach ShellExecuteExW for code execution.
- The technique can bypass Mark-of-the-Web and IE Enhanced Security Configuration, enabling execution outside the browser sandbox and may be delivered via other MSHTML-embedding components.
- Microsoft patched the flaw in February 2026, and Akamai found a VirusTotal sample linked to wellnesscaremed[.]com; CERTβUA previously flagged related APT28 activity exploiting CVE-2026-21509.
Read More: https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html