Cybercriminals have recently taken advantage of a significant vulnerability in Windows LNK (.lnk shortcut) files, using it as a conduit for malware in targeted global attacks. This critical flaw, identified as CVE-2025-9491, has been under active exploitation for several months, prompting Microsoft to finally release a patch as part of its November 2025 Patch Tuesday update.
The vulnerability allows attackers to conceal malicious commands within shortcut files by manipulating their properties. This deceptive technique creates a misleading user interface, where harmful payloads are hidden in the “Target” field through the use of whitespace padding, rendering them seemingly innocuous upon inspection.
How did attackers exploit the Windows LNK vulnerability?
When a user inadvertently opens a crafted shortcut, the concealed command executes with the user’s privileges, paving the way for malware installation or system compromise. Although the exploitation necessitates user interaction, this vulnerability has been actively exploited by numerous threat groups for purposes ranging from espionage to malware distribution.
Microsoft elaborated on the nature of the attacks, stating, “In all cases, an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment.”
The vulnerability was first uncovered by Trend Micro researchers in March 2025 and has since been leveraged by at least 11 different threat actor groups, including notorious names like Evil Corp, APT37, Kimsuky, and Mustang Panda. Among the malware delivered through this exploit are Ursnif, Gh0st RAT, Trickbot, and PlugX. Notably, Mustang Panda employed this vulnerability in espionage campaigns aimed at European diplomats.
Why did Microsoft delay the patch?
Initially, Microsoft opted not to address the CVE-2025-9491 vulnerability immediately, arguing that the flaw required user interaction and that existing Windows warnings provided sufficient protection against potential cyber threats. However, attackers swiftly discovered methods to circumvent these safeguards by exploiting a Mark-of-the-Web loophole, allowing malicious .LNK files to execute without triggering security prompts. After months of ongoing exploitation, Microsoft has discreetly rolled out a fix to rectify the Windows LNK vulnerability.
Security recommendations for administrators
To safeguard against CVE-2025-9491, users are strongly advised to refrain from interacting with suspicious .LNK files, particularly those received in compressed archives or from unknown sources. Organizations should implement stringent email and file filtering policies, disable shortcut file execution from untrusted locations, and educate employees about the dangers of opening unexpected attachments.
Furthermore, administrators are encouraged to apply Microsoft’s latest security updates to Windows machines promptly. Enabling advanced endpoint protection and monitoring for unusual shortcut file behavior within enterprise networks will also bolster defenses against potential exploits.
