Microsoft has quietly fixed a long-standing security flaw in Windows that was actively exploited by multiple threat groups for several years. The fix was included in the company’s November 2025 Patch Tuesday updates, according to researchers at ACROS Security’s 0patch project.
The vulnerability, tracked as CVE-2025-9491, carries a CVSS score of 7.8/7.0 and involves a Windows Shortcut (LNK) file UI misinterpretation issue. In simple terms, attackers could create malicious shortcut files that appear clean when viewed in Windows, but secretly run harmful commands in the background.
According to the National Vulnerability Database (NVD), the issue stems from how Windows handles .LNK files. A specially crafted shortcut file can hide dangerous content from the user interface. Even if a user inspects the file properties, the malicious command remains invisible, making the file appear harmless.
This means:
Attackers can disguise shortcut files as legitimate documents.
The malicious command inside the file executes once the user opens it.
Users never see the full command because of how Windows displays LNK properties.
Cybercriminals have been abusing this flaw since 2017, targeting victims across the world for data theft, espionage, and financial gain.
The vulnerability first came to wide attention in March 2025, when Trend Micro’s Zero Day Initiative (ZDI) revealed that the flaw had been exploited by 11 state-backed hacking groups from:
China
Iran
North Korea
Russia
These groups used the flaw as part of larger cyber espionage and data theft operations. The issue is also tracked as ZDI-CAN-25373.
At that time, Microsoft stated that the flaw “did not meet the bar for immediate servicing,” meaning the company did not feel it needed an urgent fix. They also highlighted that LNK files are blocked by default across Outlook, Word, Excel, PowerPoint, and OneNote, warning users when they attempt to open such files.
However, attackers quickly proved that the issue was being heavily abused.
French security firm HarfangLab reported that a cyber espionage group known as XDSpy was using the flaw to deliver a Go-based malware named XDigo. These attacks targeted government institutions in Eastern Europe, showing how widely the vulnerability was being used.
In late October, Arctic Wolf reported a separate campaign in which China-linked threat actors exploited the same flaw to attack European government and diplomatic entities. These attacks delivered the well-known PlugX malware, a popular tool used in Chinese cyber operations.
These repeated exploitation attempts pushed Microsoft to publish formal guidance about CVE-2025-9491. But even then, the company insisted it was not a vulnerability, claiming users were already warned when opening untrusted shortcut files.
According to 0patch, the problem is deeper than Microsoft acknowledged. The root cause is tied to how Windows displays LNK file properties.
Here’s the key issue:
A Windows LNK file can hold tens of thousands of characters in its command string.
But the Windows Properties dialog only shows the first 260 characters.
Everything beyond 260 characters is silently cut off, leaving the most dangerous parts of the command hidden.
In other words, an attacker can craft a long malicious command, hide most of it, and trick users into believing the file is safe.
Microsoft’s own file structure documentation confirms that LNK files can theoretically hold up to 32,000 characters in the Target field.
Without making a public announcement, Microsoft updated Windows so that the entire command — regardless of length — is now shown in the Properties window. This makes it much harder for attackers to hide harmful commands.
This solution ensures:
Users can see the full Target field in shortcut files.
Long hidden commands are no longer invisible.
Security researchers can better analyze suspicious shortcut files.
However, the change depends on whether shortcut files with extremely long commands actually exist on the system.
0patch also released a micropatch, but with a different approach:
If an LNK file contains command-line arguments more than 260 characters long, a warning is shown to the user.
The tool also pads the Target field to make the hidden part noticeable.
Their goal is to disrupt real-world attacks, even if malicious commands are shorter than 260 characters.
When asked for comment, Microsoft did not directly confirm the patch. Instead, the company pointed to its general security guidance, saying it continuously adds product and UI improvements to keep customers safe.
The spokesperson also urged users to exercise caution when downloading or opening files from unknown sources, noting that Windows already warns users about potentially unsafe file types like LNK.
The silent patch of CVE-2025-9491 highlights a long-standing and widely abused weakness in how Windows handles shortcut files. After years of exploitation by major nation-state hackers, Microsoft’s quiet fix finally addresses a flaw that exposed users to hidden malware and espionage attacks.
For cybersecurity teams and Windows users, the message is clear:
Treat unexpected shortcut files as suspicious.
Always verify sources before opening downloaded files.
Keep Windows fully updated to benefit from silent or undocumented security fixes.
Interesting Article : India Mandates Sanchar Saathi App on All New Smartphones
Pingback: Apache Tika Hit by Critical XXE Bug CVE-2025-66516