What You Need to Know — Patch Immediately

CVE-2026-0847 is a zero-click remote code execution vulnerability in the Windows MSHTML (Trident) rendering engine. Exploitation requires no user interaction beyond receiving a malicious document via email or messaging application. CVSS score: 9.8 (Critical).

Microsoft released an emergency out-of-band patch on March 12, 2026 — a day ahead of Patch Tuesday — indicating the severity of active exploitation. All Windows versions from Windows 10 21H2 through Windows 11 24H2 and Windows Server 2019/2022/2025 are affected.

Active Exploitation: Three APT Groups Confirmed

Threat intelligence from four independent research firms confirms active exploitation by at least three distinct threat actor clusters:

APT-41 (WINNTI Group)

The Chinese state-sponsored group used CVE-2026-0847 in a campaign targeting government ministries across Southeast Asia beginning February 28. The exploitation delivered a novel implant researchers have dubbed CLOUDSHADOW, which establishes persistence through Windows Management Instrumentation (WMI) subscriptions.

COZY BEAR (APT-29)

The Russian SVR-linked group deployed the vulnerability against diplomatic targets in Eastern Europe and the Baltic states. Notably, their exploitation chain integrates with previously documented tooling associated with the 2020 SolarWinds campaign.

TA453 (Charming Kitten)

The Iranian group used the vulnerability in targeted attacks against nuclear policy researchers and think tanks in the United States, United Kingdom, and Israel.

Technical Analysis

The vulnerability resides in mshtml.dll's handling of MHT (MHTML) archive files. A malformed Object Linking and Embedding (OLE) pointer in the file header triggers a type confusion error that permits arbitrary code execution in the context of the calling process.

Affected Component: mshtml.dll (Windows MSHTML engine)
Attack Vector: Network / Email delivery
Attack Complexity: Low
Privileges Required: None
User Interaction: None (zero-click)
Scope: Changed
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High

The vulnerability is particularly dangerous because MSHTML is invoked by multiple applications beyond Internet Explorer (which is disabled but not removed on most Windows systems), including Microsoft Office applications when handling rich document formats.

Indicators of Compromise

Organizations should hunt for the following IOCs:

  • Suspicious wmic.exe or mofcomp.exe execution spawned from Office processes
  • Creation of WMI subscriptions with base64-encoded payloads
  • Outbound connections from mshtml.dll-spawned processes
  • Registry modifications to HKCU\Software\Microsoft\Internet Explorer\Main

Immediate Actions Required

  1. Apply MS26-March-Critical immediately — Do not wait for your regular patch cycle
  2. Block MHT/MHTML files at email gateway — Until patching is confirmed complete
  3. Enable Protected View in Office — Prevents automatic rendering of external content
  4. Hunt for IOCs listed above — Assume some systems may already be compromised
  5. Review WMI subscriptions — Audit existing subscriptions for malicious entries

Historical Context

This is the fourth MSHTML zero-day exploited in-the-wild in the past 18 months, suggesting active vulnerability research investment by multiple nation-state actors targeting this component. Organizations should evaluate whether disabling MSHTML entirely via registry policy is feasible in their environment.

Filed under
Zero-DayMicrosoftMSHTMLPatch TuesdayAPTCVE-2026-0847

Get Daily Threat Intelligence

Join 47,000+ security professionals who receive QuantNest News every morning.