Dec 03, 2025Ravie LakshmananVulnerability / Endpoint Security
Microsoft’s Silent Security Update
In a quiet yet significant move, Microsoft has addressed a long-standing security vulnerability that has been exploited by various threat actors since 2017. This fix was part of the company’s November 2025 Patch Tuesday updates, as noted by ACROS Security’s 0patch.
The vulnerability, identified as CVE-2025-9491 with a CVSS score of 7.8/7.0, pertains to a misinterpretation issue within Windows Shortcut (LNK) files, which could potentially lead to remote code execution. According to the NIST National Vulnerability Database (NVD), the flaw lies in the handling of .LNK files, where crafted data can obscure hazardous content, rendering it invisible to users inspecting the file through the Windows interface. This allows attackers to execute code under the current user’s context.
Essentially, these shortcut files are designed so that when users view their properties, the malicious commands remain hidden, cleverly utilizing various “whitespace” characters. Attackers can disguise these files as innocuous documents, making them particularly deceptive.
The first indications of this vulnerability emerged in March 2025, when Trend Micro’s Zero Day Initiative (ZDI) revealed that it had been exploited by 11 state-sponsored groups from nations such as China, Iran, North Korea, and Russia. These exploits were part of broader campaigns focused on data theft, espionage, and financial gain, some dating back to 2017. This issue is also cataloged as ZDI-CAN-25373.
At that time, Microsoft informed The Hacker News that the flaw did not warrant immediate attention and would be considered for future updates. The company also highlighted that the LNK file format is blocked across various applications, including Outlook, Word, Excel, PowerPoint, and OneNote, which triggers warnings for users attempting to open such files from untrusted sources.
Subsequent investigations by HarfangLab revealed that the vulnerability was exploited by a cyber espionage group known as XDSpy, which utilized it to distribute a Go-based malware named XDigo, targeting Eastern European governmental entities shortly after the flaw was publicly disclosed.
In late October 2025, the vulnerability resurfaced when Arctic Wolf reported an offensive campaign in which China-affiliated threat actors weaponized the flaw to target European diplomatic and government entities, delivering the PlugX malware.
This series of events prompted Microsoft to issue formal guidance on CVE-2025-9491, reiterating its stance on not patching the flaw, while emphasizing that it does not consider it a vulnerability due to the user interaction required and existing system warnings regarding the untrusted nature of this file format.
0patch elaborated that the issue extends beyond merely concealing malicious commands; it also involves the LNK file’s ability to accommodate lengthy command strings—up to 32k characters—while the Properties dialog only displays the first 260 characters, truncating the rest. This allows for the creation of LNK files that can execute extensive commands, with users only seeing a fraction of the content.
The recent silent patch from Microsoft aims to rectify this by ensuring that the entire Target command, along with its arguments, is displayed in the Properties dialog, regardless of length. However, this solution is contingent upon the existence of shortcut files exceeding 260 characters in their Target field.
In contrast, 0patch’s micropatch takes a proactive approach by issuing a warning when users attempt to open an LNK file containing over 260 characters. They assert that even though malicious shortcuts can be crafted with fewer characters, disrupting actual attacks detected in the wild can significantly impact those targeted.
The Hacker News has reached out to Microsoft for further comments and will provide updates as they become available.
Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation
Dec 03, 2025Ravie LakshmananVulnerability / Endpoint Security
Microsoft’s Silent Security Update
In a quiet yet significant move, Microsoft has addressed a long-standing security vulnerability that has been exploited by various threat actors since 2017. This fix was part of the company’s November 2025 Patch Tuesday updates, as noted by ACROS Security’s 0patch.
The vulnerability, identified as CVE-2025-9491 with a CVSS score of 7.8/7.0, pertains to a misinterpretation issue within Windows Shortcut (LNK) files, which could potentially lead to remote code execution. According to the NIST National Vulnerability Database (NVD), the flaw lies in the handling of .LNK files, where crafted data can obscure hazardous content, rendering it invisible to users inspecting the file through the Windows interface. This allows attackers to execute code under the current user’s context.
Essentially, these shortcut files are designed so that when users view their properties, the malicious commands remain hidden, cleverly utilizing various “whitespace” characters. Attackers can disguise these files as innocuous documents, making them particularly deceptive.
The first indications of this vulnerability emerged in March 2025, when Trend Micro’s Zero Day Initiative (ZDI) revealed that it had been exploited by 11 state-sponsored groups from nations such as China, Iran, North Korea, and Russia. These exploits were part of broader campaigns focused on data theft, espionage, and financial gain, some dating back to 2017. This issue is also cataloged as ZDI-CAN-25373.
At that time, Microsoft informed The Hacker News that the flaw did not warrant immediate attention and would be considered for future updates. The company also highlighted that the LNK file format is blocked across various applications, including Outlook, Word, Excel, PowerPoint, and OneNote, which triggers warnings for users attempting to open such files from untrusted sources.
Subsequent investigations by HarfangLab revealed that the vulnerability was exploited by a cyber espionage group known as XDSpy, which utilized it to distribute a Go-based malware named XDigo, targeting Eastern European governmental entities shortly after the flaw was publicly disclosed.
In late October 2025, the vulnerability resurfaced when Arctic Wolf reported an offensive campaign in which China-affiliated threat actors weaponized the flaw to target European diplomatic and government entities, delivering the PlugX malware.
This series of events prompted Microsoft to issue formal guidance on CVE-2025-9491, reiterating its stance on not patching the flaw, while emphasizing that it does not consider it a vulnerability due to the user interaction required and existing system warnings regarding the untrusted nature of this file format.
0patch elaborated that the issue extends beyond merely concealing malicious commands; it also involves the LNK file’s ability to accommodate lengthy command strings—up to 32k characters—while the Properties dialog only displays the first 260 characters, truncating the rest. This allows for the creation of LNK files that can execute extensive commands, with users only seeing a fraction of the content.
The recent silent patch from Microsoft aims to rectify this by ensuring that the entire Target command, along with its arguments, is displayed in the Properties dialog, regardless of length. However, this solution is contingent upon the existence of shortcut files exceeding 260 characters in their Target field.
In contrast, 0patch’s micropatch takes a proactive approach by issuing a warning when users attempt to open an LNK file containing over 260 characters. They assert that even though malicious shortcuts can be crafted with fewer characters, disrupting actual attacks detected in the wild can significantly impact those targeted.
The Hacker News has reached out to Microsoft for further comments and will provide updates as they become available.