Full Report
An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017. The zero-day vulnerability, tracked by Trend Micro's Zero Day Initiative (ZDI) as ZDI-CAN-25373, refers to an issue that allows bad actors to execute hidden
Analysis Summary
# Vulnerability: Windows Shell Link (.LNK) File Argument Padding for Hidden Command Execution
## CVE Details
- CVE ID: None explicitly provided for the specific ZDI identifier in the text, though ZDI-CAN-25373 is referenced.
- CVSS Score: Not available in the provided text. Microsoft classified the issue as **Low severity**.
- CWE: CWE-451 (User Interface (UI) Misrepresentation of Critical Information)
## Affected Systems
- Products: Microsoft Windows (specific versions not detailed, but exploited since 2017).
- Versions: Unspecified.
- Configurations: Exploitation relies on users interacting with crafted Windows Shortcut or Shell Link (.LNK) files.
## Vulnerability Description
The vulnerability resides in how Windows handles Shell Link (.LNK) files, allowing attackers to hide malicious command line arguments. By padding the arguments within the .LNK file using Line Feed (\\x0A) and Carriage Return (\\x0D) characters, threat actors can execute hidden malicious payloads while preventing the end-user from viewing these critical execution commands in the UI, thus leading to UI Misrepresentation of Critical Information.
## Exploitation
- Status: **Exploited in the wild** by 11 state-sponsored threat groups (China, Iran, North Korea, Russia) since 2017 for data theft and espionage.
- Complexity: Implicitly **Low**, given the long history of exploitation by multiple groups.
- Attack Vector: File interaction (likely Local or Network delivery of the .LNK file).
## Impact
- Confidentiality: High (Used for data theft and espionage).
- Integrity: Data corruption/manipulation via executed malware payloads (e.g., Lumma Stealer, GuLoader, Remcos RAT).
- Availability: Potential impact due to malware execution.
## Remediation
### Patches
- **None available.** Microsoft has classified the issue as low severity and **does not plan to release a fix.**
### Workarounds
- No specific workarounds are detailed in the text. Detection and preventative measures focused on suspicious file handling are implied.
## Detection
- **Indicators of Compromise:** Presence of numerous malicious .LNK file artifacts (nearly 1,000 unearthed). Use of .LNK files to deliver malware families such as Lumma Stealer, GuLoader, and Remcos RAT, or specific campaigns like Evil Corp's Raspberry Robin distribution.
- **Detection methods and tools:** Researchers noted the use of padding characters (\\x0A and \\x0D) within arguments as a key evasion technique, suggesting file signature or sandbox analysis looking for these specific null/control characters in argument strings could be effective.
## References
- Vendor Advisory (ZDI): [zerodayinitiative.com/advisories/ZDI-25-148/](https://www.zerodayinitiative.com/advisories/ZDI-25-148/) (Defanged: zerodayinitiative.com/advisories/ZDI-25-148/)
- News Source: [thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html](https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html) (Defanged: thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html)