Microsoft has taken steps to address a significant security vulnerability in Windows, tracked as CVE-2025-9491, which has been exploited by various state-sponsored and cybercriminal groups. This flaw allows malicious actors to embed harmful commands within Windows LNK files, enabling the deployment of malware and maintaining persistence on compromised devices. Notably, successful exploitation of this vulnerability requires user interaction, as it involves deceiving victims into opening these malicious files.
To bypass email security measures that typically block .lnk attachments, threat actors often distribute these files within ZIP or other archive formats. The core of the vulnerability resides in the way Windows processes .LNK files, allowing attackers to manipulate the display properties to obscure malicious command-line arguments. By padding the Target field with whitespace, the actual command executed remains hidden from users, who only see the first 260 characters when they double-click the file.
In March 2025, Trend Micro analysts identified that CVE-2025-9491 was already being actively exploited by 11 different hacking groups, including notorious entities such as Evil Corp and Kimsuky. These campaigns have utilized a range of malware payloads, including Ursnif, Gh0st RAT, and Trickbot, further complicating the cybersecurity landscape through malware-as-a-service (MaaS) offerings.
Microsoft pushes silent “patch”
In March, Microsoft indicated to BleepingComputer that it would “consider addressing” this zero-day vulnerability, although it did not deem it urgent enough for immediate action. By November, the company asserted that the issue did not constitute a vulnerability due to the necessary user interaction and existing system warnings regarding untrusted formats. However, it acknowledged that attackers could still exploit a Mark of the Web bypass vulnerability to circumvent these warnings.
Despite this stance, ACROS Security’s CEO, Mitja Kolsek, discovered that Microsoft had quietly modified the handling of LNK files in its November updates. Users can now view the entire character string in the Target field when accessing the Properties of LNK files, rather than just the initial 260 characters. However, this adjustment does not eliminate the malicious arguments embedded in the files, nor does it provide any warning to users when encountering LNK files with Target strings exceeding the character limit.
A Microsoft spokesperson was not immediately available for comment to confirm whether this change was indeed a mitigation effort for the vulnerability.
Unofficial patches available
In the interim, ACROS Security has introduced an unofficial patch through its 0Patch micropatch platform, which restricts all shortcut target strings to 260 characters and alerts users about the risks associated with opening shortcuts that have unusually long target strings. Kolsek noted that their patch would effectively neutralize over 1,000 malicious shortcuts identified by Trend Micro, while Microsoft’s update would only benefit the most cautious users—those unlikely to open such shortcuts in the first place.
Kolsek emphasized that while it is possible to create malicious shortcuts with fewer than 260 characters, disrupting the actual attacks detected in the wild could significantly protect targeted users. The unofficial patch for CVE-2025-9491 is available for 0Patch users with PRO or Enterprise accounts, covering Windows versions that have reached end of support, including Windows 7 through Windows 11 22H2, as well as Windows Server 2008 R2 through Windows Server 2022.
