Microsoft has silently plugged a safety flaw that has been exploited by a number of menace actors since 2017 as a part of the corporate’s November 2025 Patch Tuesday updates, in accordance with ACROS Safety’s 0patch.
The vulnerability in query is CVE-2025-9491 (CVSS rating: 7.8/7.0), which has been described as a Home windows Shortcut (LNK) file UI misinterpretation vulnerability that might result in distant code execution.
“The particular flaw exists inside the dealing with of .LNK information,” in accordance with an outline within the NIST Nationwide Vulnerability Database (NVD). “Crafted information in an .LNK file may cause hazardous content material within the file to be invisible to a consumer who inspects the file through the Home windows-provided consumer interface. An attacker can leverage this vulnerability to execute code within the context of the present consumer.”
In different phrases, these shortcut information are crafted such that viewing their properties in Home windows conceals the malicious instructions executed by them out of the consumer’s sight by utilizing numerous “whitespace” characters. To set off their execution, attackers may disguise the information as innocent paperwork.
Particulars of the shortcoming first emerged in March 2025, when Development Micro’s Zero Day Initiative (ZDI) disclosed that the difficulty had been exploited by 11 state-sponsored teams from China, Iran, North Korea, and Russia as a part of information theft, espionage, and financially motivated campaigns, a few of which date again to 2017. The difficulty can be tracked as ZDI-CAN-25373.
At the moment, Microsoft advised The Hacker Information that the flaw doesn’t meet the bar for instant servicing and that it’s going to contemplate fixing it in a future launch. It additionally identified that the LNK file format is blocked throughout Outlook, Phrase, Excel, PowerPoint, and OneNote, on account of which any try to open such information will set off a warning to customers to not open information from unknown sources.
Subsequently, a report from HarfangLab discovered that the shortcoming was abused by a cyber espionage cluster generally known as XDSpy to distribute a Go-based malware known as XDigo as a part of assaults focusing on Japanese European governmental entities, the identical month the flaw was publicly disclosed.
Then, in late October 2025, the difficulty reared up a 3rd time after Arctic Wolf flagged an offensive marketing campaign by which China-affiliated menace actors weaponized the flaw in assaults geared toward European diplomatic and authorities entities and delivered the PlugX malware.
This growth prompted Microsoft to situation a proper steering on CVE-2025-9491, reiterating its determination to not patch it and emphasizing that it doesn’t contemplate it a vulnerability “because of the consumer interplay concerned and the truth that the system already warns customers that this format is untrusted.”
0patch stated the vulnerability is not only about hiding the malicious a part of the command out of the Goal subject, however the truth that a LNK file “permits the Goal arguments to be a really lengthy string (tens of hundreds of characters), however the Properties dialog solely exhibits the primary 260 characters, silently chopping off the remainder.”
This additionally implies that a foul actor can create an LNK file that may run an extended command, which might trigger solely the primary 260 characters of it to be exhibited to the consumer who considered its properties. The remainder of the command string is just truncated. In line with Microsoft, the file’s construction theoretically permits for strings of as much as 32k characters.
The silent patch launched by Microsoft addresses the issue by exhibiting within the Properties dialog the whole Goal command with arguments, irrespective of its size. That stated, this conduct hinges on the chance that there can exist shortcut information with greater than 260 characters of their Goal subject.
0patch’s micropatch for a similar flaw takes a special route by displaying a warning when customers try to open an LNK file with command-line arguments over 260 characters by padding the Goal subject.
“Despite the fact that malicious shortcuts may very well be constructed with fewer than 260 characters, we imagine disrupting precise assaults detected within the wild could make a giant distinction for these focused,” it stated.
When reached for remark, a Microsoft spokesperson didn’t immediately affirm the discharge of a patch, however handed alongside the tech big’s safety steering that states the corporate is “constantly rolling out product and UI enhancements to assist hold clients protected and enhance the expertise.”
“As a safety finest follow, Microsoft encourages clients to train warning when downloading information from unknown sources as indicated in safety warnings, which have been designed to acknowledge and warn customers about probably dangerous information,” the spokesperson added.
(The story was up to date after publication to incorporate a response from Microsoft.)
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s developments at this time: learn extra, subscribe to our e-newsletter, and turn into a part of the NextTech group at NextTech-news.com
