Microsoft has quietly fixed a security vulnerability that has been exploited by multiple threat actors since 2017. The fix was included in the November 2025 Patch Tuesday updates.
The vulnerability, tracked as CVE-2025-9491 (CVSS score: 7.8/7.0), is a “misinterpretation of the Windows shortcut file (LNK) user interface” flaw that could lead to remote code execution.
Vulnerability Details (CVE-2025-9491)
The vulnerability lies in how Windows handles .LNK files. The main problem is that a shortcut file can be manipulated to hide malicious commands from the user who inspects the file through the user interface.
- Malicious Command Hiding: Attackers can disguise LNK files as harmless documents. When viewing the file properties in Windows, the malicious commands are invisible to the user.
- Character Truncation: The flaw is based on the fact that, although the LNK file format allows very long command strings (up to 32,000 characters), the Windows properties dialog box only displays the first 260 characters. Attackers take advantage of this to hide the dangerous part of the command beyond this display limit.
History of Exploitation by Threat Actors
The vulnerability was first disclosed in March 2025 by Trend Micro’s Zero Day Initiative (ZDI). At the time, it was reported that 11 state-sponsored cyber espionage groups (from China, Iran, North Korea and Russia) had been exploiting it since 2017 in data theft and espionage campaigns.
- Usage by XDSpy: HarfangLab reported that the XDSpy cyberespionage cluster abused the vulnerability to distribute Go-based malware called XDigo against government entities in Eastern Europe.
- China-affiliated attacks: Arctic Wolf detected a campaign in late October 2025 where China-affiliated threat actors used the flaw to deliver PlugX malware in attacks targeting European diplomatic and government entities.
Microsoft’s Response and the Silent Patch
Microsoft had initially stated that the flaw did not meet the requirements for an “immediate service”, arguing that user interaction was involved and that the system was already warning users that the LNK format was unreliable.
However, following continued exploits in the wild, Microsoft released a silent patch in November 2025. The fix implemented by Microsoft modifies the properties dialog to display the entire command string, regardless of its length, resolving the truncation issue.
Alternative Solutions and Conclusion
Prior to Microsoft’s patch, 0patch had released its own micropatch for the same vulnerability. Their approach was different: display a warning to the user when trying to open an LNK file with more than 260 characters in the “Target” field. Although the micropatch did not solve the root of the design problem, it sought to interrupt the attacks detected in the real world.
Microsoft’s patch finally addresses the root cause of the UI display issue, mitigating a vulnerability that has allowed threat groups to persist in their attacks for years.
References
- CVE-2025-9491
- ZDI-CAN-25373
- 0patch