Microsoft silently mitigates Windows LNK Zero-Day flaw exploited by state-backed hackers
Take action: Apply the November 2025 Windows updates immediately to partially mitigate a vulnerability, which allows hackers to hide malicious commands in .LNK shortcut files. Also, be EXTREMELY cautious opening any .LNK files from emails or downloads, especially from ZIP archives - even after updating, only open shortcuts from sources you can absolutely verify and trust.
Learn More
Microsoft has silently fixed a high-severity Windows LNK vulnerability that had been actively exploited by multiple state-backed hacking groups and cybercrime organizations in zero-day attacks,
The flaw is tracked as CVE-2025-9491 (CVSS score 7.0), is a UI misrepresentation vulnerability that allows threat actors to hide malicious commands within Windows Shell Link (.lnk) files, enabling them to deploy malware and establish persistence on compromised systems. The attacks require user interaction but the vulnerability's exploitation has been widespread since hackers have managed to trick victims into opening malicious LNK files typically distributed through ZIP archives.
The vulnerability is caused by the way Windows processes .LNK files, allowing attackers to pad the Target field with whitespaces to conceal malicious command-line arguments beyond the first 260 characters visible in the file's properties. This ensures that when users inspect the file through Windows' standard user interface, they only see benign-looking content while the hidden malicious commands remain invisible. When a victim double-clicks the LNK file, the concealed command executes in the background without the user's knowledge.
Security researchers from Trend Micro discovered in March 2025 that the flaw was already being widely exploited by at least 11 state-sponsored groups and cybercrime gangs, including notorious actors such as Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and the Chinese state-backed group UNC6384.
The attacks targeted European diplomatic entities in Hungary, Belgium, Italy, the Netherlands, and Serbian government aviation departments between September and October 2025.
Microsoft initially refused to fix the flaw, stating it did not "meet the bar for immediate servicing." ACROS Security CEO and 0patch co-founder Mitja Kolsek discovered that Microsoft silently modified LNK file handling in the November 2025 updates, allowing users to now see all characters in the Target field when opening LNK file properties, not just the first 260. This change appears to be an attempt to mitigate the vulnerability, though it falls short of being a complete fix since malicious arguments added to existing LNK files are not automatically deleted, and users receive no warning when opening files with Target strings exceeding 260 characters.
