Microsoft Issues Unannounced Patch for Zero-Day LNK Vulnerability Used in Real-World Attacks

Hidden Flaw: How LNK Files Became a Hacker's Tool

Attackers have exploited CVE-2025-9491 since at least 2017, turning everyday Windows shortcut files into silent weapons. This UI misinterpretation bug in the LNK format lets cybercriminals pad the Target field with whitespace, concealing PowerShell or batch commands beyond the first 260 characters displayed in file properties.

Users rarely inspect details, so disguised shortcuts appear harmless, often masquerading as documents in ZIP archives to bypass email filters. Opening triggers execution under user privileges, enabling malware like PlugX or Ursnif to infiltrate systems. Trend Micro's Zero Day Initiative first spotlighted the issue on 18 March 2025, uncovering nearly 1,000 malicious samples across campaigns in 60 countries.

The flaw's CVSS score of 7.8 underscores its high risk for remote code execution, though it demands user interaction. No specific Windows versions escaped unscathed, affecting systems from Windows 10 onward. Financial institutions and governments suffered most, with data theft rampant. This persistence highlights how subtle display quirks can evade even vigilant defenders, amplifying threats in phishing-heavy environments.

Real-World Exploitation

Eleven state-sponsored groups from China, Iran, North Korea, and Russia weaponised the LNK zero-day for espionage, data exfiltration, and fraud, per Trend Micro analysis. Chinese APT Mustang Panda (UNC6384) targeted European diplomats in Hungary and Belgium during September and October 2025, using spearphishing with fake EU documents to deploy PlugX RAT via Canon DLL side-loading.

Victims unwittingly downloaded ZIPs containing tainted shortcuts, leading to persistent access and intelligence gathering. Other actors, like North Korea's Lazarus and Russia's APT29, integrated it into supply-chain assaults, masking payloads in software distributions. Cybercrime syndicates such as Evil Corp and Bitter APT favoured it for Trickbot ransomware delivery, hitting financial sectors hard.

Arctic Wolf reported these diplomatic breaches on 31 October 2025, urging immediate mitigations amid unpatched systems. On X, cybersecurity analyst @H4ckmanac highlighted the alert: 'Windows Zero-Day Exploit Actively Abused in Diplomatic Attacks. No Patch Available Yet.'

Such campaigns underscore the flaw's role in blending low-tech deception with high-stakes outcomes, evading antivirus through file camouflage.

Microsoft's Quiet Fix and Path Forward for Users

Microsoft initially dismissed CVE-2025-9491 as non-vulnerable, citing user warnings and interaction needs, as stated in their November guidance: 'Windows identifies shortcut files (.lnk) as a potentially dangerous file type... we strongly recommend heeding this warning.' Yet, after mounting pressure from ongoing exploits, the company slipped a fix into the 12 November 2025 Patch Tuesday release, addressing 63 flaws total.

The update forces full Target field visibility, neutering obfuscation without fanfare. ACROS Security's Mitja Kolsek confirmed the change on 3 December 2025, noting gradual rollout since June, and rolled out a 0patch alternative for legacy systems.

Tech outlet @PetriFeed posted on X: 'Microsoft Patches Widely Exploited Windows LNK Zero-Day Vulnerability'.

While effective, experts caution layered defences—email scanning and user training—remain vital against evolving tactics.