Microsoft has addressed a long-standing security vulnerability, CVE-2025-9491, affecting Windows LNK files, with the November 2025 update. The flaw had been exploited by state-sponsored groups since 2017.
Security Vulnerability Details
The CVE-2025-9491 vulnerability, with a CVSS score of 7.8, involved the Windows Shortcut (LNK) file format. Manipulated LNK files could hide malicious commands, allowing attackers to execute remote code. The Windows Properties dialog previously failed to display these hidden commands, affecting user security.
- Microsoft addressed the issue in the November 2025 update.
- The flaw had been exploited by 11 state-sponsored groups.
- Exploits were reported in espionage and data theft campaigns.
Security researcher 0patch pointed out the complexity of the issue involving long strings in LNK files, which were not fully visible in the Properties dialog.
Response to Exploitation
Trend Micro's Zero Day Initiative disclosed the issue in March 2025, revealing exploits by groups from China, Iran, North Korea, and Russia. These attacks targeted government entities in Eastern Europe using the XDigo malware and the PlugX backdoor.
The disclosure led to heightened scrutiny, although Microsoft initially did not consider the flaw urgent enough for immediate servicing. However, the recent silent patch now shows the entire Target field in the Properties dialog regardless of length.
Preventative Measures
Microsoft's update changes the display of command arguments, effectively closing the vulnerability's exploitation path. Security firm 0patch also released a micropatch that warns users of LNK files with over 260 characters, adding preventive security measures for users.
This patching effort reflects increased pressure on software firms to proactively address vulnerabilities before they can be widely exploited. It highlights the balance between immediate versus strategic security fixes in the fast-moving threat landscape.
