Multiple security researchers and Microsoft have confirmed that the threat actor APT28 (Fancy Bear / Forest Blizzard) actively exploited a zero‑day vulnerability in the Microsoft MSHTML framework (CVE‑2026‑21513) prior to its fix in the February 2026 Patch Tuesday release. Read the Cybersecurity Threat Advisory now to mitigate your risk.
What is the threat?
CVE‑2026‑21513 is a security feature bypass with a CVSS of 8.8. It resides in the MSHTML framework, which is the legacy Internet Explorer engine still used by Windows components, Office applications, and IE mode in Microsoft Edge.
- It affects MSHTML/ieframe.dll, allowing attackers to circumvent controls meant to restrict untrusted content.
- APT28 exploited the flaw as a zero‑day in targeted campaigns before Microsoft released a fix.
- In real‑world attacks, the bug enables attacker‑controlled code execution when users open malicious documents or access crafted web pages, often reducing or bypassing security warnings.
While not a standalone RCE, the vulnerability enables full endpoint compromise when paired with other techniques and social engineering.
Why is it noteworthy?
- Actively exploited by a nation‑state APT: Microsoft and multiple vendors have attributed in‑the‑wild exploitation of CVE‑2026‑21513 to APT28, a long‑running Russia‑linked espionage group targeting government, defense, critical infrastructure, and policy organizations.
- Deep integration of MSHTML: MSHTML remains widely used by:
- Microsoft Office (Word, Excel, Outlook preview pane)
- Internet Explorer mode in Edge
- Other applications embedding IE/IEFrame components
This broad use creates extensive exploitation opportunities.
- Bypasses user and system safeguards: A security feature bypass in MSHTML can undermine:
- Zone‑based security checks
- Restrictions on active/HTML content
- User warning prompts. This makes phishing and document‑based attacks more reliable and stealthier.
- Exploited before a patch existed: Organizations slow to deploy February 2026 patches may still be vulnerable to an APT capability already in circulation.
What is the exposure or risk?
Organizations running unpatched Windows and Office systems are at risk — especially if users routinely:
- Open external email attachments
- Access untrusted websites
- Use Outlook preview panes or IE mode in Edge
Successful exploitation can result in:
- Initial access & command execution
- Execution of attacker code via malicious documents or URLs
- Reduced visibility due to bypassed prompts and checks
Credential theft & lateral movement
- Theft of Windows/AD credentials and email/session tokens
- Lateral movement from compromised endpoints
Data theft & espionage
- Access to sensitive files, emails, and shares
- Quiet, long‑term persistence consistent with APT28 tactics
Operational & reputational impact
- Disruption from incident response
- Possible regulatory or legal exposure if sensitive data is accessed
What are the recommendations?
Barracuda strongly recommends taking the following actions to reduce risk from CVE‑2026‑21513:
- Identify Windows and Office/Outlook systems using MSHTML/IE components and confirm February 2026 updates are installed.
- Prioritize and deploy February 2026 cumulative updates across all Windows and Office environments; validate through centralized tools and spot checks.
- Reduce or disable IE mode and legacy IE/ActiveX components; apply hardened baselines for Office, Windows Defender/EDR, and browser/IE mode.
- Harden Office by enforcing Protected View, enabling ASR rules, and blocking risky file types.
- Strengthen email/web filtering to block malicious documents, HTML/HTA content, and risky links.
- Enforce least privilege and MFA for remote, email, VPN, and admin access.
- Monitor for suspicious Office/MSHTML‑spawned processes and review EDR alerts, logs, and network telemetry for anomalies.
- Ingest APT28 and CVE‑2026‑21513 IOCs/TTPs and update IDS/IPS, EDR, and SIEM detection rules.
- If compromise is suspected, isolate affected systems, remove persistence, rebuild from trusted images, rotate credentials, and test backups.
- Implement a rapid patching SLA, assign clear owners for Windows/Office/IE configuration, and continuously scan for unpatched systems while staying subscribed to MSRC and threat intel feeds.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html
- https://securityaffairs.com/188782/security/russia-linked-apt28-exploited-mshtml-zero-day-cve-2026-21513-before-patch.html
- https://www.akamai.com/blog/security-research/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.
