Microsoft Finally Patches LNK Flaw (CVE-2025-9491) Exploited by Spies Since 2017

Microsoft has quietly patched a long-standing flaw in Windows that had been exploited in real-world attacks for several years. The fix arrived in the November Patch Tuesday release, even though the company had previously shown little urgency in addressing the issue. The development came to light through data from 0patch, which reported that various threat groups had been actively abusing the defect since 2017.

The vulnerability, designated CVE-2025-9491, stemmed from the way Windows handled LNK shortcut files. A flaw in the user interface caused part of the command embedded in a shortcut to remain hidden when viewing the file’s properties. This allowed malicious actors to execute arbitrary code under the guise of an innocuous file. Researchers noted that the shortcuts were crafted to deceive, using invisible characters and masquerading as documents.

The first detailed reports emerged in spring 2025, when researchers revealed that eleven state-sponsored groups from China, Iran, and North Korea had used this mechanism in espionage, data-theft operations, and financially motivated attacks. At the time, the defect was also tracked as ZDI-CAN-25373. Microsoft stated then that the issue did not warrant urgent remediation, pointing to existing protections such as LNK blocking in many Office applications and system warnings that appear when users attempt to open such files.

Later, HarfangLab reported that the vulnerability had been leveraged by the XDSpy group to distribute its XDigo malware in attacks against government bodies in Eastern Europe. In autumn 2025, Arctic Wolf documented a new wave of exploitation—this time by Chinese network operators targeting European diplomatic and governmental institutions with the PlugX malware family. Even then, Microsoft reiterated that it did not regard the flaw as critical, citing the need for user interaction and the presence of built-in system prompts.

According to 0patch, the issue extended beyond the concealment of trailing command data. The LNK format allows command strings tens of thousands of characters long, but the Properties window displayed only the first 260, silently truncating the rest. This made it possible for attackers to hide substantial portions of the executed command. The third-party patch from 0patch approached the problem differently: it added a warning whenever a shortcut containing arguments longer than 260 characters was opened.

Microsoft’s own update resolved the flaw by expanding the Target field so that the full command is displayed, even when it exceeds the previous character limit. In a response to inquiries, a company representative did not explicitly confirm the release of a patch but referred instead to general security best practices and emphasized that Microsoft continues to refine its interface and defensive mechanisms.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy