MSHTML 0 Day RCE Exploits Network Security Bypass

By /
MSHTML 0-Day RCE Exploits Network Security Bypass

A critical security feature bypass vulnerability in the MSHTML Framework, tracked as CVE-2026-21513, which attackers exploited in the wild to bypass network protections and achieve remote code execution (RCE).

Released on February 10, 2026, this “Important” flaw affects numerous Windows versions and requires user interaction, enabling high-impact compromise via malicious HTML or .lnk files. Security teams must prioritize deployment as exploitation is confirmed.

The flaw stems from a failure of a protection mechanism (CWE-693) in MSHTML, the legacy rendering engine still used by the Windows Shell and apps to handle web content.

Attackers trick users into opening crafted files via email, links, or downloads, manipulating browser and shell behaviors to evade prompts such as Windows SmartScreen and to execute OS-level code.

This bypasses security UI, potentially leading to full RCE without authentication beyond user clicks.

Microsoft’s Threat Intelligence Center (MSTIC), Security Response Center (MSRC), and partners such as Google’s Threat Intelligence Group discovered and coordinated the fix.

Public disclosure and active exploits preceded patching, heightening urgency for enterprises.

Base Score Metrics

MetricValueDescription 
Attack Vector (AV)NNetwork-accessible 
Attack Complexity (AC)LLow barriers 
Privileges Required (PR)NNone needed 
User Interaction (UI)RRequired (file open) 
Scope (S)UUnchanged 
Confidentiality (C)HHigh impact 
Integrity (I)HHigh impact 
Availability (A)HHigh impact 

Temporal Score Metrics

MetricValueDescription 
Exploit Code Maturity (E)UUnproven (early exploits detected) 
Remediation Level (RL)OOfficial fix available 
Report Confidence (RC)CConfirmed 

Affected Platforms and Patches

Updates rolled out February 10, 2026, across 31 configurations, all marked “Required.” Builds vary by edition; hotpatching is supported on newer servers.

PlatformKB ArticlesBuild(s)Update Types
Windows 11 24H2 (x64/ARM64)5077181, 507721210.0.26100.7840/7781Security, Hotpatch 
Windows Server 2025 (Core)5075899, 507594210.0.26100.32370/32313Security, Hotpatch
Windows 11 25H2 (x64/ARM64)5077181, 507721210.0.26200.7840/7781Security, Hotpatch
Windows Server 2022 (Core)5075906, 507594310.0.20348.4773/4711Security, Hotpatch
Windows 10 22H2 (x64/32-bit/ARM64)507591210.0.19045.6937Security
Windows Server 2019 (Core)507590410.0.17763.8389Security
Windows Server 2016 (Core)507599910.0.14393.8868Security
Windows Server 2012 R2 (Core)50759706.3.9600.23022Monthly Rollup
Windows 11 26H1 (x64/ARM64)507717910.0.28000.1575Security

Apply patches immediately via Windows Update or Catalog. Enable enhanced protections, such as Attack Surface Reduction rules, for MSHTML/Office files.

Monitor for anomalous .lnk/HTML handling and phishing. Until updated, block untrusted file execution in email gateways.

Enterprises should scan their environments using tools such as Qualys or Tenable to identify unpatched systems.

Site: cybersecuritypath.com

Related Posts

Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security
Generative Application Firewall
Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings
Malicious Outlook Add-ins Used to Steal Emails Silently
Open Directory Leak Exposes BYOB Framework Across OSes
Threat Actors Abuse Google Ads to Push Fake Mac Cleaners
Hackers Weaponize Open VSX Extension With Sophisticated Malware After 5,066 Downloads
Attackers Abuse Hugging Face to Host Android RAT Payloads

Leave a Comment

Your email address will not be published. Required fields are marked *