Full Report
Microsoft has silently plugged a security flaw that has been exploited by several threat actors since 2017 as part of the company's November 2025 Patch Tuesday updates, according to ACROS Security's 0patch. The vulnerability in question is CVE-2025-9491 (CVSS score: 7.8/7.0), which has been described as a Windows Shortcut (LNK) file UI misinterpretation vulnerability that could lead to remote
Analysis Summary
# Vulnerability: Windows LNK File UI Misinterpretation Leading to RCE
## CVE Details
- CVE ID: CVE-2025-9491
- CVSS Score: 7.8 (High, based on provided 7.8/7.0)
- CWE: Weakness type not explicitly listed, related to UI/File Handling.
## Affected Systems
- Products: Windows operating system.
- Versions: Not specified, but implied to affect versions prior to the November 2025 Patch Tuesday update.
- Configurations: Any configuration where Windows allows the display or interaction with crafted `.LNK` (Shortcut) files.
## Vulnerability Description
This vulnerability is a Windows Shortcut (LNK) file UI misinterpretation flaw that can lead to Remote Code Execution (RCE). The flaw exists in how Windows handles `.LNK` files, specifically regarding the metadata displayed in the file's Properties dialog.
A crafted `.LNK` file can contain "whitespace" characters, causing hazardous content (like malicious commands in the `Target` field) to be invisible to the user inspecting the file via the standard Windows UI. Furthermore, while the file structure theoretically allows for Target strings up to 32k characters, the Properties dialog only displayed the first 260 characters, effectively truncating and concealing the remainder of a long command string. An attacker could leverage this to execute code in the context of the current user by making visually harmless shortcut files that hide malicious paths/commands.
## Exploitation
- Status: **Exploited in the wild** (Reported active exploitation since 2017 by multiple state-sponsored groups, including those from China, Iran, North Korea, and Russia).
- Complexity: Medium (Requires user interaction, but concealment methods lower the detection barrier).
- Attack Vector: Adjacent/Local (Requires the user to view properties or potentially interact with the crafted LNK file, often delivered via phishing or external media).
## Impact
- Confidentiality: Potential compromise via executed code.
- Integrity: Potential compromise via executed code.
- Availability: Potential compromise via executed code.
## Remediation
### Patches
- **Official Microsoft Patch:** Applied silently as part of the November 2025 Patch Tuesday updates.
- **Patch Detail:** The fix addresses the UI misinterpretation by ensuring the Properties dialog displays the *entire* Target command string and arguments, regardless of length, preventing silent truncation.
### Workarounds
- **Microsoft Pre-existing Mitigation:** The use of `.LNK` files is blocked across Microsoft Office applications (Outlook, Word, Excel, PowerPoint, and OneNote), triggering a warning if users attempt to open them from unknown sources. (Note: This prior mitigation did not prevent the specific UI viewing exploitation).
- **General Mitigation:** Users should exercise extreme caution when opening or inspecting properties of shortcut files from untrusted sources.
## Detection
- **Indicators of Compromise (IoCs):** Focus on historical detection around the time compromised systems were observed running data theft, espionage, or deploying malware like XDigo or PlugX following interaction with LNK files.
- **Detection Methods and Tools:** Monitor access to and manipulation of `.LNK` file metadata, particularly entries in the Target field exceeding 260 characters or containing unusual whitespace/control characters intended to mask execution instructions.
## References
- Vendor Advisory: ADV25258226 (Microsoft Guidance issued late October 2025).
- Third-Party Tracking: ZDI-CAN-25373.
- Academic/Research: [ACROS Security's 0patch Blog Post](hXXps://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html) (Detailed technical analysis).