Russia-linked APT28 Exploited MSHTML Zero-Day Before Patch

📌 Russia-linked threat group APT28 reportedly exploited a high-severity MSHTML zero-day vulnerability (CVE-2026-21513) with a CVSS score of 8.8 before Microsoft released a patch in February 2026. The flaw is described as an Internet Explorer security control bypass that could lead to arbitrary code execution. Akamai identified the exploitation activity associated with the Russian state-sponsored actor. No specific targets or additional technical details about the attack vector were disclosed in the report.