嗯,用户让我用中文总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。好的,我先仔细看看文章内容。 文章主要讲的是俄罗斯相关的APT28组织利用了一个MSHTML的零日漏洞CVE-2026-21513,在微软修补之前就已经被利用了。这个漏洞的CVSS评分是8.8,属于高危级别。攻击者通过恶意HTML页面或LNK文件触发漏洞,绕过安全保护,执行代码。 Akamai的研究人员分析了这个漏洞,发现它涉及到ieframe.dll中的超链接导航逻辑,导致攻击者能够绕过浏览器沙盒执行代码。微软已经修复了这个漏洞,并感谢了一些安全团队的报告。 好的,现在我需要把这些信息浓缩到100字以内。重点包括:APT28利用零日漏洞CVE-2026-21513,在微软修补前;漏洞影响MSHTML,通过恶意文件触发;Akamai分析并关联到APT28;微软已修复。 所以总结应该是:俄罗斯相关APT28组织在微软修补前利用MSHTML零日漏洞CVE-2026-21513进行攻击。该漏洞可被恶意HTML或LNK文件触发,绕过安全保护并执行代码。Akamai研究人员分析后确认其与APT28关联,微软已修复该漏洞。 </think> 俄罗斯相关APT28组织在微软修补前利用MSHTML零日漏洞CVE-2026-21513进行攻击。该漏洞可被恶意HTML或LNK文件触发,绕过安全保护并执行代码。Akamai研究人员分析后确认其与APT28关联,微软已修复该漏洞。 2026-3-2 14:45:52 Author: securityaffairs.com(查看原文) 阅读量:10 收藏
Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch
Russia-linked APT28 reportedly exploited MSHTML zero-day CVE-2026-21513 before Microsoft patched it, a high-severity bypass flaw.
Akamai reports that Russia-linked APT28 may have exploited CVE-2026-21513 CVSS score of 8.8), a high-severity MSHTML vulnerability (CVSS 8.8), before Microsoft patched it in February 2026.
The vulnerability is an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file. The flaw could be triggered by opening a malicious HTML or LNK file, allowing attackers to bypass protections and potentially execute code. While Microsoft shared few details
Microsoft confirmed CVE-2026-21513 was exploited in real-world zero-day attacks and credited MSTIC, MSRC, the Office Security Team, and Google’s GTIG for reporting it. Akamai found a malicious sample uploaded to VirusTotal on January 2026 tied to infrastructure linked to APT28.
Akamai researchers used PatchDiff-AI to analyze the root cause of the issue and traced CVE-2026-21513 to hyperlink navigation logic in ieframe.dll. They found that poor URL validation lets attacker input reach ShellExecuteExW, enabling code execution outside the browser sandbox. Researchers reproduced the flaw using MSHTML components and identified an exploit sample, document.doc.LnK.download, uploaded in January 2026 and linked to APT28 infrastructure.
“By correlating the vulnerable code path with public threat intelligence, we identified a sample that was leveraging this functionality: document.doc.LnK.download.” reads the report published by Akamai. “The sample was first submitted to VirusTotal on January 30, 2026, shortly before February’s Patch Tuesday, and is associated with infrastructure linked to APT28, an active Russian state-sponsored threat actor.”
The payload uses a specially crafted Windows Shortcut (.lnk) that embeds an HTML file directly after the standard LNK structure. When executed, it connects to wellnesscaremed[.]com, a domain attributed to APT28 and widely used in the campaign’s multistage activity. The exploit relies on nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). By downgrading the security context, it triggers the vulnerable navigation flow, allowing attacker-controlled content to invoke ShellExecuteExW and execute code outside the browser sandbox.
“While the observed campaign leverages malicious .LNK files, the vulnerable code path can be triggered through any component embedding MSHTML. Therefore, additional delivery mechanisms beyond LNK-based phishing should be expected.” concludes the report.
Microsoft addressed the issue by tightening hyperlink protocol validation to prevent file://, http://, and https:// links from reaching ShellExecuteExW.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT28, CVE-2026-21513)
如有侵权请联系:admin#unsafe.sh