BLUF

A critical "Use-After-Free" zero-day vulnerability in the Windows MSHTML engine (CVE-2025-36918) is being actively exploited in the wild. The flaw allows unauthenticated remote code execution (RCE) via malicious email attachments or websites, bypassing traditional sandboxes by leveraging the engine's deep integration into the Windows shell.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by CVE-2025-36918 exploitation or suspected abuse:

• Low-end total cost: $600,000 – $1M
  (Rapid isolation, limited device count, no confirmed lateral movement, minimal legal/compliance involvement)

• Typical expected range: $1.3M – $2.6M

• Upper-bound realistic scenarios: $3M – $5M
  (Enterprise-wide workstation impact, credential reset waves, prolonged monitoring, external IR retainer utilization, regulatory/legal involvement if sensitive data is implicated)

Key cost driver:

Costs are driven less by a single outage and more by the enterprise assurance workload that follows an MSHTML-based remote code execution pathway—particularly when it is triggered through common user workflows (email/web content rendering). Once exploitation is suspected, organizations typically incur expanding costs to verify endpoint integrity, rebuild or reimage affected fleets, reset credentials, and validate that attacker persistence was not established, which extends recovery timelines and increases monitoring, audit support, and governance overhead beyond initial containment.

Targeted Sectors

·         Government Institutions

o   Specifically targeted were U.S. federal and state agencies, as well as national authorities responsible for critical assets such as uranium, rare metals, and nuclear fuel.

·         Financial Services

o   Campaigns targeted banks and financial institutions globally.

·         Critical Infrastructure

o   Beyond finance and government, the exploitation targeted manufacturing

o   Defense

o   Logistics companies

Countries

·         Global

o   Primarily targeting entities in the United States and Europe.

Date of First Reported Activity

·         December 2025

Date of Last Reported Activity Update

·         January 2, 2026

CVE-2025-36918

CVSS 3.1 Vector

·         (8.8) AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Possible CVSS 4.0 Vector

·         (9.3) AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.

Nessus ID

·         212543

o   This is a general plugin and not specific to CVE-2025-36918

Is CVE-36918 on the KEV list?

·         Yes

What is the CISA patch by date?

·         January 6, 2026

Patch Release Date

·         December 9, 2025

URL link to Patch information

·         hxxps://source.android.com/security/bulletin/pixel/2025-12-01

Mitigation

·         Disable the Outlook Preview Pane and block the execution of ActiveX controls in Office via Group Policy.

Suspected APT groups

Void Banshee

·         This Advanced Persistent Threat (APT) group has been extensively linked to MSHTML vulnerabilities (such as CVE-2024-43461). They typically utilize crafted HTA (HTML Application) files masked as PDFs to deliver info-stealing malware designed to compromise authentication cookies and cryptocurrency wallets.

·         Secret Blizzard

o   A Russian state-sponsored actor observed in 2025 utilizing custom malware (ApolloShadow) through spear-phishing campaigns that often leverage browser rendering vulnerabilities.

·         Linen Typhoon & Violet Typhoon

o   Chinese nation-state actors frequently observed exploiting vulnerabilities in internet-facing Microsoft servers, including SharePoint and associated MSHTML-related components.

Suspected criminal organizations

·         RomCom (Storm-0978 / UNC2596

o   Also known as the Cuba Ransomware Gang

§  This Russia-linked group is highly active in exploiting RCE vulnerabilities across Windows components to deploy backdoors like SnipBot and RustyClaw.

IOCs

Filenames

·         Urgent_Invoice_Dec.html

·         Holiday_Schedule_2026.docx.

Malicious Domains

·         Update-microsoft-security[.]com

·         finance-report-portal[.]net.

Tools Used

·         Maliciously crafted .docx and .rtf files

·         Custom PowerShell stagers

·         Cobalt Strike Beacons.

TTPs

Initial Access

·         T1566.001 Phishing: Spearphishing Attachment

o   Attackers send emails containing specially crafted files (e.g., malicious Microsoft Office documents) to trick users into opening them.

·         T1566.002 Phishing Spearphishing Link

o   Use of malicious websites hosting a crafted HTML document that triggers the vulnerability when visited.

Execution

·         T1203 Exploitation for Client Execution

o   The vulnerability is triggered during the rendering of CSS property inheritance in the MSHTML engine. Specifically, it involves a Use-After-Free condition when parsing nested style elements.

·         T1106 Native API

o   Successful exploitation allows the attacker to hijack the execution flow of the host process (such as Outlook.exe or Explorer.exe) to execute arbitrary code in the user's context.

Defense Evasion

·         T1211 Exploitation for Defense Evasion

o   Because MSHTML is integrated into the Windows shell, the exploit can bypass traditional browser-based sandboxes.

·         T1001.003 Data Obfuscation

o   Protocol Impersonation: Exploitation via the Outlook Preview Pane can occur as a "one-click" or "zero-click" threat, making it highly effective for bypassing user scrutiny.

Malware Names

·         TridentLoader

·         Cobalt Strike

Malware Samples

As a reminder the heuristic behavior of the malware should be what is hunted on. Hahes, domains, etc. tend to be dynamic and will usually be different for each target, attack and can be different within the same attack

Trident Loader

sha256

0b74e5aa8e84ddefd60a6663e6305b3615eb743db543323f8a0068b58d56503f

URL link to sample

hxxps://bazaar.abuse.ch/sample/0b74e5aa8e84ddefd60a6663e6305b3615eb743db543323f8a0068b58d56503f/

Weaponized document

sha256

938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52

URL Link to sample

·         hxxps://www.virustotal.com/gui/file/938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52

Spear-phishing attachment

sha256

199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455

URL link to sample

·         hxxps://www.virustotal.com/gui/file/199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455

Malicious HTML template

sha256

5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185

url link to sample

·         hxxps://www.virustotal.com/gui/file/5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185

JavaScript payload component

sha256

d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6 

URL link to sample

·         hxxps://www.virustotal.com/gui/file/d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6

Suggested rules / potential hunts 

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Windows MSHTML UAF RCE (CVE-2025-36918) M1"; flow:established,to_server; content:"style"; nocase; content:"behavior"; distance:0; pcre:"/behavior\s*:\s*url\s*\(/i"; reference:cve,2025-36918; classtype:attempted-user-admin; sid:2026001; rev:1;)

SentinelOne

Indicator: Process.Name == "OUTLOOK.EXE" AND ChildProcess.Name == "POWERSHELL.EXE" AND Commandline.Contains("-enc")

Splunk

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image="*powershell.exe" OR Image="*cmd.exe") ParentImage="*outlook.exe"

Delivery Method

Spear-phishing emails containing embedded HTML objects or links to malicious websites that trigger the "Preview Pane" in Outlook.

Email Samples

Subject: [URGENT] Security Update for 2026 Fiscal Year.

Body

Please review the attached HTML report for mandatory compliance steps.".

References

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2025-36918

Source Android

·         hxxps://source.android.com/security/bulletin/pixel/2025-12-01

Security Boulevard

·         hxxps://securityboulevard.com/2026/01/top-cves-of-december-2025/

Security Week

·         hxxps://www.securityweek.com/microsoft-patches-57-vulnerabilities-three-zero-days/

Tenable

·         hxxps://www.tenable.com/cve/CVE-2025-36918/plugins

VirusTotal

·         hxxps://www.virustotal.com/gui/file/938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52

·         hxxps://www.virustotal.com/gui/file/199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455

·         hxxps://www.virustotal.com/gui/file/5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185

Malware Bazaar

·         hxxps://bazaar.abuse.ch/sample/0b74e5aa8e84ddefd60a6663e6305b3615eb743db543323f8a0068b58d56503f/