Dec 03, 2025Ravie LakshmananVulnerability / Endpoint Safety
Microsoft has silently plugged a safety flaw that has been exploited by a number of menace actors since 2017 as a part of the corporate’s November 2025 Patch Tuesday updates, in response to ACROS Safety’s 0patch.
The vulnerability in query is CVE-2025-9491 (CVSS rating: 7.8/7.0), which has been described as a Home windows Shortcut (LNK) file UI misinterpretation vulnerability that might result in distant code execution.
“The particular flaw exists inside the dealing with of .LNK recordsdata,” in response to an outline within the NIST Nationwide Vulnerability Database (NVD). “Crafted knowledge in an .LNK file could cause hazardous content material within the file to be invisible to a person who inspects the file through the Home windows-provided person interface. An attacker can leverage this vulnerability to execute code within the context of the present person.”
In different phrases, these shortcut recordsdata are crafted such that viewing their properties in Home windows conceals the malicious instructions executed by them out of the person’s sight through the use of numerous “whitespace” characters. To set off their execution, attackers might disguise the recordsdata as innocent paperwork.
Particulars of the shortcoming first emerged in March 2025, when Development Micro’s Zero Day Initiative (ZDI) disclosed that the difficulty had been exploited by 11 state-sponsored teams from China, Iran, North Korea, and Russia as a part of knowledge theft, espionage, and financially motivated campaigns, a few of which date again to 2017. The difficulty can also be tracked as ZDI-CAN-25373.
At the moment, Microsoft instructed The Hacker Information that the flaw doesn’t meet the bar for instant servicing and that it’s going to take into account fixing it in a future launch. It additionally identified that the LNK file format is blocked throughout Outlook, Phrase, Excel, PowerPoint, and OneNote, because of which any try and open such recordsdata will set off a warning to customers to not open recordsdata from unknown sources.
Subsequently, a report from HarfangLab discovered that the shortcoming was abused by a cyber espionage cluster often called XDSpy to distribute a Go-based malware referred to as XDigo as a part of assaults focusing on Jap European governmental entities, the identical month the flaw was publicly disclosed.
Then, in late October 2025, the difficulty reared up a 3rd time after Arctic Wolf flagged an offensive marketing campaign during which China-affiliated menace actors weaponized the flaw in assaults aimed toward European diplomatic and authorities entities and delivered the PlugX malware.
This growth prompted Microsoft to difficulty a proper steering on CVE-2025-9491, reiterating its resolution to not patch it and emphasizing that it does take into account it a vulnerability “because of the person interplay concerned and the truth that the system already warns customers that this format is untrusted.”
0patch stated the vulnerability is not only about hiding the malicious a part of the command out of the Goal area, however the truth that a LNK file “permits the Goal arguments to be a really lengthy string (tens of 1000’s of characters), however the Properties dialog solely reveals the primary 260 characters, silently slicing off the remainder.”
This additionally signifies that a foul actor can create an LNK file that may run a protracted command, which might trigger solely the primary 260 characters of it to be exhibited to the person who considered its properties. The remainder of the command string is just truncated. In keeping with Microsoft, the file’s construction theoretically permits for strings of as much as 32k characters.
The silent patch launched by Microsoft addresses the issue by displaying within the Properties dialog the whole Goal command with arguments, irrespective of its size. That stated, this habits hinges on the likelihood that there can exist shortcut recordsdata with greater than 260 characters of their Goal area.
0patch’s micropatch for a similar flaw takes a distinct route by displaying a warning when customers try and open an LNK file with over 260 characters.
“Though malicious shortcuts might be constructed with fewer than 260 characters, we imagine disrupting precise assaults detected within the wild could make an enormous distinction for these focused,” it stated.
The Hacker Information has reached out to Microsoft for remark, and can replace the piece if we hear again from the corporate.
