Microsoft has adjusted the handling of LNK files to address a high-severity vulnerability (CVE-2025-9491) in Windows exploited by cybercrime and state-backed groups. This flaw allowed attackers to hide malicious commands inside Windows Shell Link (.lnk) files.
LNK Vulnerability Exploitation
Multiple threat groups, including Evil Corp, APT37, Mustang Panda, and SideWinder, have utilized the LNK vulnerability to disguise harmful commands. Attackers often distributed compromised .lnk files in archives like ZIP due to email security limitations.
According to Trend Micro, these groups used payloads such as Ursnif and PlugX, with Mustang Panda notably targeting European diplomats. Microsoft's November update changes the LNK file Properties view to show the complete Target field characters instead of truncating at 260, addressing the flaw partially.
Security Solutions and Gaps
The company's statement emphasized the requirement for user interaction for attacks to succeed, suggesting the vulnerability does not warrant immediate servicing beyond the update. However, researchers warned that attackers could bypass warnings about untrusted files.
ACROS Security introduced an unofficial fix through its 0Patch platform. This micropatch curtails the Target field to 260 characters and alerts users of excessive length, offering wider protection for Windows versions from Windows 7 to Windows 11 22H2 and related server editions. ACROS claims that their solution could mitigate over 1,000 malicious shortcuts identified by researchers.
Ongoing Risks and User Actions
Despite Microsoft's updates, the vulnerability remains only partially addressed. The changes predominantly benefit cautious users who inspect file properties. Users, especially those within targeted sectors, are encouraged to employ mitigation strategies promptly.
