Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch

A high-severity MSHTML vulnerability, tracked as CVE-2026-21513, was exploited by Russia-linked APT28 before a patch was released by Microsoft in February 2026. This zero-day flaw, which carries a CVSS score of 8.8, allows attackers to bypass Internet Explorer security controls, potentially leading to code execution when a victim opens a malicious HTML page or LNK file. The vulnerability can be triggered by opening a malicious file, enabling attackers to bypass protections and gain unauthorized access. Akamai reports that APT28 may have leveraged this vulnerability to conduct targeted attacks, highlighting the need for prompt patching and monitoring. The exploitation of CVE-2026-21513 by APT28 underscores the group's ability to identify and exploit high-impact vulnerabilities, making it essential for organizations to stay vigilant and prioritize patch management¹. The fact that APT28 was able to exploit this vulnerability before a patch was available emphasizes the importance of proactive security measures, such as monitoring for suspicious activity and implementing additional security controls. So what matters to practitioners is that the exploitation status of CVE-2026-21513 determines whether this is a patch-now or monitor situation, requiring immediate attention to prevent potential attacks.