Microsoft has quietly taken steps to weaken a high-severity Windows LNK vulnerability that has been actively exploited by numerous state-sponsored hacking groups and cybercrime gangs in zero-day attacks.
The flaw, tracked as CVE-2025-9491, allows attackers to hide malicious commands inside Windows shortcut (.lnk) files, enabling malware deployment and persistence when unsuspecting users open them.
These attacks rely heavily on social engineering. Because email services block LNK attachments, threat actors typically deliver them inside ZIP or similar archives. Once opened, the malicious shortcut launches hidden commands that victims cannot see due to a flaw in how Windows displays LNK file properties.
The issue stems from the way Windows handles the Target field of .lnk files. Attackers can pad the Target field with whitespace to hide command line arguments, causing Windows to show only the first 260 characters. This prevents victims from seeing the real command that will run when they double-click the shortcut, effectively masking malware execution.
Trend Micro reported that at least 11 threat groups have been abusing this flaw since early 2025, including state-backed actors like APT37, APT43 (Kimsuky), Mustang Panda, Bitter, SideWinder, RedHotel, Konni, and financially motivated groups like Evil Corp. These campaigns deployed malware families such as Ursnif, Gh0st RAT, Trickbot, and PlugX, often delivered through malware-as-a-service platforms.
Arctic Wolf Labs also confirmed that Mustang Panda used this vulnerability to target European diplomats in recent zero-day attacks involving PlugX.
Microsoft originally downplayed the issue, saying it did not meet the threshold for urgent servicing because user interaction is required and Windows already warns users when opening untrusted file types. However, these warnings can be bypassed through Mark of the Web flaws, something attackers have routinely exploited.
Despite not labeling CVE-2025-9491 as a vulnerability, Microsoft has quietly altered LNK behavior in its November updates. After installing the update, Windows now displays the full Target string in LNK file properties, not just the first 260 characters. This exposes previously hidden portions of malicious commands.
But this change doesn’t fully fix the problem. The hidden arguments are still present, and Windows does not warn users when opening shortcuts with unusually long Target fields. Attackers can still abuse the flaw—users must manually check the full Target field to spot malicious commands.
ACROS Security, creator of the 0patch platform, has released an unofficial micropatch that fully limits shortcut Target strings to 260 characters and alerts users when a shortcut contains a suspiciously long field. The company says its patch would neutralize more than 1,000 malicious LNK files identified by Trend Micro, while Microsoft’s silent mitigation still leaves room for exploitation.
The 0patch fix is available for PRO and Enterprise users running unsupported Windows versions, including Windows 7 through Windows 11 22H2 and Windows Server 2008 R2 through Windows Server 2022.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Until Microsoft provides a complete fix, users and organizations are urged to remain cautious when opening shortcuts from unknown sources, especially those delivered inside archives.
