Submission + - Microsoft "mitigates" Windows LNK flaw exploited as zero-day (bleepingcomputer.com)
joshuark writes: Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks.
Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Thus some element of social engineering, and user technically naive and gullibility such as thinking Windows is secure is required.
As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others.
Microsoft told BleepingComputer in March that it would "consider addressing" this zero-day flaw, even though it didn't "meet the bar for immediate servicing."
ACROS Security CEO and 0patch co-founder Mitja Kolsek found, Microsoft has silently changed LNK files in the November updates in an apparent effort to mitigate the CVE-2025-9491 flaw. After installing last month's updates, users can now see all characters in the Target field when opening the Properties of LNK files, not just the first 260.
A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today to confirm if this change is an attempt to mitigate the vulnerability. As the movie the Ninth Gate stated: "silentium est aurum"
Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Thus some element of social engineering, and user technically naive and gullibility such as thinking Windows is secure is required.
As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others.
Microsoft told BleepingComputer in March that it would "consider addressing" this zero-day flaw, even though it didn't "meet the bar for immediate servicing."
ACROS Security CEO and 0patch co-founder Mitja Kolsek found, Microsoft has silently changed LNK files in the November updates in an apparent effort to mitigate the CVE-2025-9491 flaw. After installing last month's updates, users can now see all characters in the Target field when opening the Properties of LNK files, not just the first 260.
A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today to confirm if this change is an attempt to mitigate the vulnerability. As the movie the Ninth Gate stated: "silentium est aurum"
