Article Title: Microsoft Quietly Fixes Long-Standing Windows LNK Vulnerability Exploited Since 2017
In a discreet move, Microsoft has addressed a critical security flaw in Windows Shortcut (LNK) files that has been actively exploited by various threat actors since 2017. This fix was part of the company’s November 2025 Patch Tuesday updates, as reported by ACROS Security’s 0patch.
Understanding the Vulnerability
The flaw, identified as CVE-2025-9491 with a CVSS score of 7.8, pertains to how Windows handles LNK files. According to the National Institute of Standards and Technology (NIST) National Vulnerability Database, the issue lies in the processing of .LNK files. Specifically, crafted data within an LNK file can render hazardous content invisible to users inspecting the file through the Windows interface. This concealment allows attackers to execute code in the context of the current user without detection.
Exploitation Tactics
Attackers have been crafting malicious LNK files that, when viewed, hide the execution of harmful commands by embedding them within whitespace characters. These files are often disguised as benign documents, tricking users into opening them and inadvertently triggering the malicious code.
Historical Context and Exploitation
The vulnerability came to public attention in March 2025 when Trend Micro’s Zero Day Initiative (ZDI) revealed that 11 state-sponsored groups from countries including China, Iran, North Korea, and Russia had been exploiting this flaw since 2017. These groups engaged in data theft, espionage, and financially motivated attacks. The issue is also tracked as ZDI-CAN-25373.
At that time, Microsoft stated that the flaw did not meet the criteria for immediate servicing but would be considered for a future release. The company also noted that the LNK file format is blocked across applications like Outlook, Word, Excel, PowerPoint, and OneNote. Consequently, attempts to open such files would prompt warnings advising users against opening files from unknown sources.
Subsequent Exploitation and Reports
In March 2025, HarfangLab reported that the cyber espionage group XDSpy exploited this vulnerability to distribute a Go-based malware named XDigo, targeting Eastern European governmental entities. Later, in October 2025, Arctic Wolf identified that China-affiliated threat actors leveraged the flaw to attack European diplomatic and government entities, deploying the PlugX malware.
These incidents led Microsoft to issue formal guidance on CVE-2025-9491, reiterating its decision not to patch the flaw. The company emphasized that it did not consider it a vulnerability due to the required user interaction and existing system warnings about untrusted formats.
Technical Insights from 0patch
ACROS Security’s 0patch highlighted that the vulnerability extends beyond hiding malicious commands. LNK files can contain target arguments that are extremely long—up to tens of thousands of characters. However, the Windows Properties dialog only displays the first 260 characters, truncating the rest without alerting the user. This means an attacker can create an LNK file with a lengthy command, of which only a portion is visible, concealing the malicious intent.
Microsoft’s Silent Patch
Microsoft’s recent, unannounced patch addresses this issue by ensuring that the Properties dialog displays the entire target command with all arguments, regardless of length. This change allows users to see the full command, enhancing transparency and security. However, this solution assumes the existence of shortcut files with target fields exceeding 260 characters.
0patch’s Alternative Solution
In contrast, 0patch has developed a micropatch that issues a warning when users attempt to open an LNK file with over 260 characters. This approach aims to alert users to potential risks associated with unusually long command strings in shortcut files.
Conclusion
The silent patching of CVE-2025-9491 marks a significant step in addressing a vulnerability that has been exploited for years. While Microsoft’s update enhances the visibility of potentially malicious commands in LNK files, users are advised to remain vigilant. It’s crucial to avoid opening files from unknown or untrusted sources and to keep systems updated with the latest security patches to mitigate such risks.
