Microsoft has rolled out a silent fix for a Windows Shortcut (LNK) vulnerability that has been under active exploitation since 2017. The update was released as part of the company’s November 2025 Patch Tuesday batch, according to details published by ACROS Security’s 0patch team.
Background of the Vulnerability
The flaw, tracked as CVE-2025-9491 and rated with a CVSS score of 7.8/7.0, concerns the way Windows interprets certain LNK files. According to the National Vulnerability Database, specially crafted shortcut files can hide harmful commands inside their properties panel, making the malicious content invisible during basic inspection.
The core issue allows attackers to embed long, concealed command strings using whitespace characters. These files can be disguised as regular documents and used to trigger code execution when opened.
Long Standing Exploitation Since 2017
Trend Micro’s Zero Day Initiative revealed earlier this year that the flaw had been exploited by at least 11 state backed groups from China, Iran, North Korea, and Russia. These operations reportedly conducted espionage, data theft, and financially motivated attacks spanning nearly eight years. The weakness is also tracked under the identifier ZDI-CAN-25373.
At the time, Microsoft stated that the issue did not meet the threshold for immediate servicing, adding that LNK files were already blocked across Outlook, Word, Excel, PowerPoint, and OneNote, which warn users against opening untrusted shortcut files.
Fresh Waves of Attacks in 2025
The flaw resurfaced when Arctic Wolf documented a separate offensive campaign in late October 2025. In this instance, China-linked actors used the vulnerability to deliver PlugX malware to European diplomatic and government networks. The ongoing exploitation pushed Microsoft to issue updated guidance, reiterating its earlier position that the flaw did not qualify as a direct vulnerability due to required user interaction.
Why the Issue Was Dangerous
0patch later clarified that the vulnerability was not only about hiding malicious content but also about how Windows displays shortcut data. While LNK files can contain extremely long argument strings, the Windows Properties dialog shows only the first 260 characters, which hides the rest of the command.
This creates an opportunity for attackers to embed long malicious payloads while exposing only a harmless looking preview to the victim.
Microsoft’s Silent Patch and 0patch Response
The quiet update now ensures that Windows displays the entire Target command in a shortcut file, regardless of its length, improving transparency for users inspecting suspicious files.
0patch offered its own mitigation earlier, adding a warning for LNK files with argument strings exceeding 260 characters. This approach aims to disrupt attacks observed in actual campaigns, even if some malicious shortcuts use shorter strings.
(The story was updated after publication to include a response from Microsoft.)
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
