CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.
Remediation Deadline: Mar 3, 2026
Description
Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network.
EPSS — Exploit Probability
Higher than 89.3% of all CVEs
Required Action
https://msrc.microsoft.com/update-guide/advisory/CVE-2026-21513 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21513
Related Articles (3)
Patch Tuesday, February 2026 Edition
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six "zero-day" vulnerabilities that attackers are already exploiting in the wild.
Feb 10, 2026
APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine
Researchers uncover APT28-linked phishing attacks against Ukrainian targets deploying BadPaw loader and MeowMeow backdoor for remote system control.
Mar 5, 2026
APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday
APT28 exploited CVE-2026-21513, an MSHTML zero-day (CVSS 8.8), using malicious LNK files to bypass security controls and execute code.
Mar 2, 2026
Risk Assessment
ELEVATEDDetails
- Severity
- High
- EPSS
- 4.8%
- CISA KEV
- Yes
- Ransomware
- Unknown
- Articles
- 3
Timeline
Published
Feb 10, 2026
Added to KEV
Feb 10, 2026
Remediation Due
Mar 3, 2026