Microsoft has quietly patched a significant security vulnerability, CVE-2025-9491, that has been actively exploited by multiple threat actors since 2017 as part of its November 2025 Patch Tuesday updates. This Windows Shortcut (.LNK) file misinterpretation flaw, with a CVSS score of 7.8, allowed for remote code execution.
The vulnerability specifically exploited how Windows handled .LNK files. Attackers could craft malicious shortcut files with invisible characters within their properties to conceal harmful commands, making them appear harmless to users. Upon inspection or interaction, these concealed directives could be executed in the user’s context, leading to code execution.
Longstanding Windows Shortcut Vulnerability Addressed After Years of Exploitation
The existence of this Windows security flaw first came to light in March 2025 when Trend Micro’s Zero Day Initiative (ZDI) revealed that it had been leveraged by eleven state-sponsored cybercriminal groups originating from China, Iran, North Korea, and Russia. These campaigns, some dating back to 2017, primarily focused on data theft, espionage, and financial gain.
At the time of the initial disclosure, Microsoft indicated that the vulnerability did not meet the threshold for immediate patching, stating it would be considered for future releases. The company also highlighted existing preventative measures, noting that the .LNK file format was blocked across several Microsoft applications, including Outlook, Word, Excel, PowerPoint, and OneNote, with users receiving warnings when attempting to open such files from untrusted sources.
Following the ZDI disclosure, further analysis by HarfangLab identified the vulnerability’s use by a cyber espionage group known as XDSpy. This group allegedly employed the flaw to distribute a Go-based malware, XDigo, in attacks targeting governmental bodies in Eastern Europe, aligning with the public disclosure timeline.
The issue resurfaced for a third time in late October 2025, when Arctic Wolf reported on an offensive campaign attributed to China-affiliated threat actors. These actors were observed weaponizing the CVE-2025-9491 vulnerability to deliver PlugX malware in attacks targeting European diplomatic and governmental entities.
This persistent exploitation prompted Microsoft to issue formal guidance on CVE-2025-9491. While reiterating its previous decision not to patch, the company clarified its classification of the issue as a vulnerability, citing the required user interaction and existing system warnings for untrusted file formats.
Technical Behind the LNK File Exploitation
0patch elaborated on the technical nuances of the exploit, explaining that the vulnerability extended beyond simply hiding malicious commands in the “Target” field of a shortcut. A critical aspect was the LNK file format’s allowance for extremely long strings, potentially tens of thousands of characters, in the “Target” arguments. However, the standard Windows Properties dialog would only display the initial 260 characters, silently truncating the rest.
This truncation meant that an attacker could construct an LNK file with a lengthy malicious command, where only a small, innocuous-looking portion was visible to the user inspecting its properties. The full, harmful command was effectively hidden due to the display limitations of the Windows interface.
Microsoft’s recent silent patch reportedly addresses this by modifying the Properties dialog to display the complete “Target” command and its arguments, regardless of their length. This fix is contingent on the existence and recognition of shortcut files with more than 260 characters in their “Target” field.
In contrast, 0patch’s micropatch for the same vulnerability takes a preventative approach by issuing a warning to users when they attempt to open an .LNK file that contains a “Target” field exceeding 260 characters. 0patch stated this measure aims to disrupt actual attacks observed in the wild, acknowledging that while some malicious shortcuts might use fewer characters, disabling those definitively exploited could significantly impact ongoing threats.
The Hacker News has reached out to Microsoft for a statement regarding the silent patch and will update this article if a response is received. The ongoing vigilance and analysis of such long-standing vulnerabilities underscore the dynamic nature of cybersecurity and the continuous efforts required to defend against evolving threats.