A sophisticated zero-day vulnerability has been stealthily exploited for several years by various state-sponsored hacking groups, highlighting significant security concerns. This particular flaw takes advantage of Windows shortcut (.lnk) files, allowing attackers to execute malicious commands without raising alarms.
In late September, Microsoft classified this vulnerability as “not meeting the bar servicing,” indicating that it would not issue security updates to rectify the issue. Although Microsoft has not yet assigned a CVE-ID to this vulnerability, Trend Micro is tracking it internally under the designation ZDI-CAN-25373. This flaw permits malicious actors to execute arbitrary code on compromised Windows systems.
Trend Micro’s research has connected this vulnerability to cyber-espionage campaigns and data breaches affecting organizations worldwide. Their findings reveal that since 2017, ZDI-CAN-25373 has been actively utilized by 11 nation-state actors from countries including North Korea, Iran, Russia, and China. The Zero Day Initiative (ZDI) has identified nearly 1,000 malicious .lnk samples exploiting this flaw, with indications that many more remain undetected.
According to the researchers, “ZDI-CAN-25373 relates to the way Windows displays the contents of shortcut (.lnk) files through the Windows UI. By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim. Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”
Real-World Attacks
Advanced Persistent Threat (APT) groups have showcased various methods to exploit this vulnerability. For example, malicious .LNK files are often attached to phishing emails disguised as legitimate documents. When these files are opened, the malicious shortcut executes the code silently.
Once activated, these .LNK files typically download additional payloads such as keyloggers, credential stealers, or remote access tools (RATs), granting attackers complete control over the compromised machine.
Scan Immediately
Researchers advise organizations to promptly scan their systems and implement security measures for ZDI-CAN-25373. Maintaining vigilance against suspicious .lnk files and ensuring comprehensive endpoint and network protection is critical to detecting and responding to this threat. Trend Micro customers are shielded from potential exploitation attempts through rules and filters released in October 2024 and January 2025.
Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, notes that actively exploited vulnerabilities are typically patched quickly. “It’s unusual for Microsoft to refuse to release a security patch in this situation, given that it is actively being exploited by nation-state groups. Microsoft should address the vulnerability immediately to manage software risk and prevent further attacks and compromises of systems globally.”
In this case, exploiting the vulnerability involves manipulating how Windows displays shortcut files by padding command-line arguments with whitespace characters, explains Jason Soroko, Senior Fellow at Sectigo. “If this method necessitates a series of specific conditions or user interactions that are unlikely in everyday scenarios, Microsoft may perceive it as lower risk. If exploiting this flaw requires the attacker to elevate privileges through an endpoint compromise, I’ve seen Microsoft adopt a similar stance in the past.”
