A critical zero-day vulnerability in Microsoft Windows 10 Version 1607, tracked as CVE-2026-21513, has been actively exploited by the Russian-linked APT28 group. The flaw, which was disclosed on February 10, 2026, allows attackers to bypass security mechanisms in the MSHTML framework, enabling unauthorized access over a network. This vulnerability has been assigned a CVSS score of 8.8, indicating its high severity.
The exploitation of CVE-2026-21513 was detected in the wild before its official disclosure, marking it as a zero-day with a TTE (Time to Exploit) of -0.7 days. This means attackers were actively abusing the flaw prior to any public awareness or patch availability. The vulnerability is now listed in the Known Exploited Vulnerabilities (KEV) catalog, underscoring its critical nature and the urgency for remediation.
APT28, also known as Fancy Bear, has been attributed with leveraging this vulnerability in their campaigns. The group is notorious for its sophisticated cyber-espionage operations, often targeting government and military entities. The exploitation of this zero-day highlights the persistent threat posed by state-sponsored actors and their capability to exploit unpatched vulnerabilities swiftly.
In addition to APT28, the ransomware groups Magic Hound, BianLian, and Black Basta have also been linked to attacks exploiting this vulnerability. These groups are known for their aggressive tactics, including data encryption and extortion, which further amplifies the risk associated with CVE-2026-21513.
The vulnerability stems from a protection mechanism failure in the MSHTML framework, categorized under CWE-693. This flaw allows attackers to bypass security features, potentially leading to unauthorized access and control over affected systems. Given the high EPSS (Exploit Prediction Scoring System) score of 0.310, the likelihood of exploitation remains significant.
Microsoft has released patches to address this vulnerability, and organizations are urged to apply these updates immediately to mitigate potential risks. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch this vulnerability by February 21, 2026, reflecting the critical need for prompt action.
Security teams should prioritize the deployment of patches and monitor for any signs of compromise. Additionally, implementing network segmentation and enhancing monitoring capabilities can help detect and prevent exploitation attempts. As attackers continue to exploit vulnerabilities like CVE-2026-21513, maintaining a proactive security posture is essential to safeguarding critical assets.
CSURFACE