According to ACROS Security’s 0patch, Microsoft silently embedded a security flaw that has been exploited by multiple attackers since 2017 as part of the company’s November 2025 Patch Tuesday update.
The vulnerability in question is CVE-2025-9491 (CVSS score: 7.8/7.0), which is described as a Windows Shortcuts (LNK) file UI misinterpretation vulnerability that could lead to remote code execution.
According to the NIST National Vulnerability Database (NVD) description, “The specific flaw exists in the handling of .LNK files.” “Crafted data in a .LNK file could hide dangerous content within the file from a user inspecting the file through the Windows-provided user interface. An attacker could exploit this vulnerability to execute code in the context of the current user.”
In other words, these shortcut files are crafted using various “whitespace” characters to hide the malicious commands executed by the shortcut file from the user’s eyes when viewing their properties in Windows. An attacker could disguise the file as a benign document in order to execute it.
Details of the flaw first emerged in March 2025, when Trend Micro’s Zero Day Initiative (ZDI) revealed that the issue was being exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of campaigns for data theft, espionage, and financial gain. Some of them date back to 2017. This issue is also tracked as ZDI-CAN-25373.
At the time, Microsoft told The Hacker News that the flaw did not meet the criteria for immediate service and that it would consider fixing it in a future release. We also noted that the LNK file format is blocked across Outlook, Word, Excel, PowerPoint, and OneNote, resulting in users being warned not to open files from unknown sources when attempting to open such files.
The flaw was later disclosed in the same month, with a HarfangLab report finding that the flaw was exploited by a cyber-espionage cluster known as XDSpy to distribute Go-based malware called XDigo as part of an attack targeting government agencies in Eastern Europe.
Then, in late October 2025, the issue surfaced for a third time after Arctic Wolf flagged an attack campaign in which China-linked threat actors delivered PlugX malware, weaponized by flaws in attacks targeting European diplomatic and government institutions.
This development led Microsoft to issue formal guidance on CVE-2025-9491, reiterating its decision not to patch and emphasizing that it considers it a vulnerability “due to the need for user interaction and the fact that the system has already warned the user that this format is untrusted.”
According to 0patch, the vulnerability goes beyond simply hiding the malicious part of the command from the Target field; it’s also the fact that in LNK files, “the Target argument can be a very long string (tens of thousands of characters), but only the first 260 characters are displayed in the properties dialog, and the rest are silently truncated.”
This also means that a malicious attacker can create an LNK file that can execute long commands. Users who view the properties of this file will only see the first 260 characters of the file. The rest of the command string is simply truncated. According to Microsoft, the structure of this file theoretically allows strings up to 32,000 characters.
A silent patch released by Microsoft allows you to run the entire target command with arguments, regardless of length.[プロパティ]I’m addressing the issue by displaying it in a dialog. However, this behavior[ターゲット]Determined by the possibility that the field has a shortcut file that is longer than 260 characters.
0patch’s micropatch for the same flaw takes a different route by displaying a warning when users try to open LNK files that are longer than 260 characters.
“Even though malicious shortcuts can be constructed in less than 260 characters, we believe that disrupting real attacks that are actually detected can make a big difference to those who are targeted,” the company said.
Hacker News has reached out to Microsoft for comment and will update this article if the company responds.
Source link
