Microsoft "mitigates" Windows LNK flaw exploited as zero-day

News

Featured
Latest

North Korea lures engineers to rent identities in fake IT worker scheme

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

Microsoft "mitigates" Windows LNK flaw exploited as zero-day

University of Phoenix discloses data breach after Oracle hack

Russia blocks FaceTime and Snapchat over use in terrorist attacks

Create compliance docs with this $40 governance & cybersecurity bundle

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Contractors with hacking records accused of wiping 96 govt databases

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsMicrosoftMicrosoft "mitigates" Windows LNK flaw exploited as zero-day

Microsoft "mitigates" Windows LNK flaw exploited as zero-day

By Sergiu Gatlan

December 3, 2025
11:45 AM
1

Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks.
Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files.
Threat actors distribute these files in ZIP or other archives because email platforms commonly block .lnk attachments due to their risky nature.
The vulnerability lies in how Windows handles .LNK files, allowing threat actors to exploit the way the operating system displays them to evade detection and execute code on vulnerable devices without the user's knowledge by padding the Target field in Windows .LNK files with whitespaces to hide malicious command-line arguments.
This ensures that the file's Target field properties display only the first 260 characters due to the added whitespaces, so users can't see the actual command executed when the LNK file is double-clicked.
As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others.
​​"Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and Trickbot have been tracked in these campaigns, with malware-as-a-service (MaaS) platforms complicating the threat landscape," Trend Micro said.
Arctic Wolf Labs also reported in October that the Chinese state-backed Mustang Panda hacking group was exploiting this Windows vulnerability in zero-day attacks targeting European diplomats in Hungary, Belgium, and other European nations to deploy the PlugX remote access trojan (RAT) malware.

Malicious arguments not showing in the Target field (Trend Micro)
Microsoft pushes silent "patch"
​Microsoft told BleepingComputer in March that it would "consider addressing" this zero-day flaw, even though it didn't "meet the bar for immediate servicing."
It also added in a November advisory that it doesn't consider this a vulnerability "due to the user interaction involved and the fact that the system already warns users that this format is untrusted," even though threat actors could still exploit a Mark of the Web bypass vulnerability to circumvent these warnings and ensure their attacks' success.
Despite this, as ACROS Security CEO and 0patch co-founder Mitja Kolsek found, Microsoft has silently changed LNK files in the November updates in an apparent effort to mitigate the CVE-2025-9491 flaw. After installing last month's updates, users can now see all characters in the Target field when opening the Properties of LNK files, not just the first 260.
However, this isn't necessarily a fix since malicious arguments added to LNK files will not be deleted, and the user receives no warning when opening LNK files with a Target string exceeding 260 characters
When asked to confirm if this change is an attempt to mitigate the vulnerability, a Microsoft spokesperson shared the following statement: "As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources, as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files."
Unofficial patches available
Until Microsoft adequately addresses this security flaw, ACROS Security has released an unofficial patch via its 0Patch micropatch platform, which limits all shortcut target strings to 260 characters and warns users about the potential danger of opening shortcuts with unusually long target strings.

"Our patch would break the 1000+ malicious shortcuts identified by Trend Micro for all targeted users, while Microsoft's patch would only allow the most cautious among these users - who would probably not launch such shortcuts anyway - to see the entire malicious command string," Kolsek said.
"Even though malicious shortcuts could be constructed with fewer than 260 characters, we believe disrupting actual attacks detected in the wild can make a big difference for those targeted."
ACROS Security's unofficial CVE-2025-9491 patch is available for 0patch users with PRO or Enterprise accounts who use Windows versions that have reached end of support (Windows 7 through Windows 11 22H2, and Windows Server 2008 R2 through Windows Server 2022).
Update December 04, 14:16 EST: Added Microsoft statement.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
New Windows zero-day exploited by 11 state hacking groups since 2017Windows zero-day actively exploited to spy on European diplomatsGoogle fixes two Android zero days exploited in attacks, 107 flawsCISA gives govt agencies 7 days to patch new Fortinet flawFortinet warns of new FortiWeb zero-day exploited in attacks

0patch
Actively Exploited
CVE-2025-9491
LNK
Micropatch
Mitigation
Windows
Zero-Day

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article
Next Article

Comments

RexvimilZuzakzmo - 19 hours ago

Is it only me, or updating windows do seem to make it actually less secure these days?
Maybe it would be a good idea to track when discussed vulnerabilities were introduced as well?
Not really a windows user, but are we approaching the point where selecting some late Windows 7/8/10 version and trying to secure it via unofficial fixes would actually be a better option, for the microsoft's system orthodox?

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Marquis data breach impacts over 74 US banks, credit unions

Glassworm malware returns in third wave of malicious VS Code packages

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

Empowering IT teams with intelligence driven cyber threat research.

AI is a data-breach time bomb: Read the new report

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2025 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Microsoft has implemented a temporary mitigation strategy for a critical Windows LNK vulnerability, designated CVE-2025-9491, which has been actively exploited by numerous state-sponsored and cybercrime groups since March 2025. This flaw allows attackers to conceal malicious commands within Windows LNK files, initiating malware deployment and establishing persistence on compromised systems. The attack necessitates user interaction, specifically the opening of deceivingly crafted Windows Shell Link (.lnk) files.

The core of the exploit lies in the way Windows handles LNK files. Attackers leverage a technical limitation—the system's display of LNK files restricts the visible length of the “Target” field to a maximum of 260 characters—to hide the actual, potentially lengthy, command-line arguments associated with the malicious file. By padding the Target field with whitespace, attackers effectively mask the true intent of the LNK file, preventing users from recognizing the dangerous commands being executed. Trend Micro’s analysis, revealed in March 2025, identified 11 state-backed and cybercrime groups involved, including entities such as Evil Corp, Bitter, APT37, APT43 (Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others. These groups utilized malware-as-a-service (MaaS) platforms to distribute and deploy payloads like Ursnif, Gh0st RAT, and Trickbot.

The Chinese state-backed Mustang Panda hacking group further demonstrated the vulnerability’s utility in October 2025, targeting European diplomats in Hungary, Belgium, and other European nations. They successfully deployed the PlugX remote access trojan (RAT) malware, highlighting the vulnerability's potential in politically motivated attacks.

Initially, Microsoft acknowledged the flaw and stated it would "consider addressing" it, despite the vulnerability not meeting the criteria for immediate servicing. They added a November advisory, stating the vulnerability wasn't considered critical due to the user interaction involved and the system’s built-in warnings regarding untrusted file formats. However, this stance was challenged by ACROS Security CEO and 0patch co-founder Mitja Kolsek, who discovered that Microsoft had quietly altered LNK files in the November updates. This change allowed users to view the complete length of the Target field when opening LNK files, rather than the previously enforced 260-character limit.

Despite this adjustment, the underlying technical limitations remain. The compromised LNK file continues to execute malicious commands, and even if users see the full command string, they receive no warning notification.

To address this situation, ACROS Security swiftly released an unofficial patch via its 0Patch micropatch platform. This patch limits all shortcut target strings to 260 characters and warns users of the potential danger of opening shortcuts with unusually long target strings. This unconventional solution disrupts malware deployments, offering a tactical advantage given the limitations of Microsoft’s own update.

The 0Patch patch is available for 0patch users with PRO or Enterprise accounts, primarily targeting Windows versions reaching end-of-support (Windows 7 through Windows 11 22H2, and Windows Server 2008 R2 through Windows Server 2022). The implementation showcases a reactive approach, recognizing the limitations of Microsoft's immediate response. It’s important to note that while this approach mitigates the attacks in the wild, the underlying vulnerability persists. Furthermore, the patch does not remove the malicious command that exists within the LNK file, and users receive no warnings about opening these links.