Microsoft Patches Widely Exploited Windows LNK Zero-Day Vulnerability

Cybercriminals have been exploiting a critical flaw in Windows LNK (.lnk shortcut) files to deliver malware in targeted attacks worldwide. After months of active abuse, Microsoft has finally issued a fix for the zero-day in its November 2025 Patch Tuesday update.

CVE-2025-9491 is a Windows Shell Link (.LNK) vulnerability that allows attackers to hide malicious commands without shortcut files by manipulating the file’s properties. This flaw creates a deceptive user interface where harmful payloads are concealed in the “Target” field using whitespace padding, which makes them appear harmless when inspected.

How did attackers exploit the Windows LNK vulnerability?

When a user opens such a crafted shortcut, the hidden command executes under their privileges, which enables malware installation or system compromise. While the exploitation requires user interaction, this vulnerability has been actively abused by multiple threat groups for espionage and malware delivery.

“In all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment,” Microsoft explained.

Trend Micro researchers first discovered this Windows LNK vulnerability in March 2025. It has been leveraged by at least 11 threat actor groups (including Evil Corp, APT37, Kimsuky, and Mustang Panda) to deliver malware such as Ursnif, Gh0st RAT, Trickbot, and PlugX. In one case, Mustang Panda used it in espionage campaigns targeting European diplomats.

Why did Microsoft delay the patch?

Microsoft initially decided against patching the CVE-2025-9491 vulnerability immediately. The company argued that this flaw required user interaction and that existing Windows warnings provided enough protection against cyberattacks.

However, attackers quickly found ways to bypass these safeguards using a Mark-of-the-Web loophole that allowed malicious .LNK files to execute without triggering security prompts. After months of active exploitation, Microsoft has quietly rolled out a fix to address the Windows LNK vulnerability.

Security recommendations for administrators

To protect against CVE-2025-9491, it’s highly recommended that users should avoid interacting with suspicious .LNK files, especially those delivered inside compressed archives or from unknown sources. Organizations should enforce strict email and file filtering policies, disable shortcut file execution from untrusted locations, and educate employees about the risks of opening unexpected attachments.

Additionally, administrators should apply Microsoft’s latest security updates on Windows machines as soon as possible. They should also enable advanced endpoint protection and monitor for abnormal shortcut file behavior within enterprise networks.