Microsoft has silently mitigated an exploited LNK vulnerability with its November 2025 safety updates, Acros Safety says.
Tracked as CVE-2025-9491 (CVSS rating of seven.0), the safety defect allowed risk actors to obfuscate the aim of malicious LNK recordsdata by hiding code from the consumer’s view.
The bug was disclosed in March by Pattern Micro’s Zero Day Initiative (ZDI), which warned that almost a dozen risk actors had been exploiting it for years. In October, exploitation was nonetheless ongoing.
ZDI defined that Home windows didn’t show important data that might floor malicious exercise when the consumer inspected the properties tab of a shortcut (LNK) file.
Thus, risk actors have been utilizing specifically crafted LNK recordsdata embedding command-line arguments resulting in malware execution.
As profitable exploitation requires that the consumer manually execute the shortcut file, the attackers have been disguising them as innocent paperwork.
The problem was that, when displaying a LNK file’s properties, Home windows solely confirmed the primary 260 characters within the ‘Goal’ area, though the file’s construction theoretically permits for strings of as much as 32k characters.
Home windows would merely lower off the remainder of the string, basically hiding from customers’ view extraordinarily lengthy PowerShell or BAT scripts, notes Acros Safety. Commercial. Scroll to proceed studying.
And with risk actors utilizing whitespaces for the primary 260 characters within the string, all the command was fully hidden from customers who would take their time to look over the file’s properties.
Person interplay is vital to exploitation
In reality, Microsoft beforehand instructed SecurityWeek, customers sometimes don’t examine a file’s properties, and Microsoft Defender has detections to acknowledge the approach.
Saying that the vulnerability didn’t meet the bar for instant servicing, the corporate defined it was contemplating addressing it in a characteristic launch.
In keeping with Acros Safety, Microsoft’s November safety updates have resolved the exploited LNK vulnerability, as Home windows now shows all the string within the ‘Goal’ area in a shortcut file’s properties tab.
Acros Safety has developed another patch for customers of its 0Patch answer.
Previous to the silent patch, Microsoft printed steerage on CVE-2025-9491, underlining that current protections in Home windows, coupled with warnings when downloading recordsdata from the web and the mandatory consumer interplay to open LNK recordsdata, mitigate the risk.
LNK recordsdata, it explains, will be delivered solely inside ZIP archives that customers must open. Moreover, when opening such a shortcut file, Home windows warns the consumer that the format shouldn’t be trusted.
“Home windows identifies shortcut recordsdata (.lnk) as a doubtlessly harmful file kind. Making an attempt to open a .lnk file downloaded from the Web routinely triggers a safety warning advising customers to not open recordsdata from unknown sources, and we strongly suggest heeding this warning,” Microsoft’s steerage reads.
Associated: Chrome 143 Patches Excessive-Severity Vulnerabilities
Associated: Over 50,000 Asus Routers Hacked in ‘Operation WrtHug’
Associated: Knowledge Publicity Vulnerability Present in Deep Studying Instrument Keras
Associated: Vulnerability in OpenAI Coding Agent May Facilitate Assaults on Builders
