Microsoft has silently plugged a security flaw that has been exploited by several threat actors since 2017 as part of the company’s November 2025 Patch Tuesday updates, according to ACROS Security’s 0patch.
The vulnerability in question is CVE-2025-9491 (CVSS score: 7.8/7.0), which has been described as a Windows Shortcut (LNK) file UI misinterpretation vulnerability that could lead to remote code execution.
“The specific flaw exists within the handling of .LNK files,” according to a description in the NIST National Vulnerability Database (NVD). “Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user.”
In other words, these shortcut files are crafted such that viewing their properties in Windows conceals the malicious commands executed by them out of the user’s sight by using various “whitespace” characters. To trigger their execution, attackers could disguise the files as harmless documents.
Details of the shortcoming first emerged in March 2025, when Trend Micro’s Zero Day Initiative (ZDI) disclosed that the issue had been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns, some of which date back to 2017. The issue is also tracked as ZDI-CAN-25373.
At that time, Microsoft told The Hacker News that the flaw does not meet the bar for immediate servicing and that it will consider fixing it in a future release. It also pointed out that the LNK file format is blocked across Outlook, Word, Excel, PowerPoint, and OneNote, as a result of which any attempt to open such files will trigger a warning to users not to open files from unknown sources.
Subsequently, a report from HarfangLab found that the shortcoming was abused by a cyber espionage cluster known as XDSpy to distribute a Go-based malware called XDigo as part of attacks targeting Eastern European governmental entities, the same month the flaw was publicly disclosed.
Then, in late October 2025, the issue reared up a third time after Arctic Wolf flagged an offensive campaign in which China-affiliated threat actors weaponized the flaw in attacks aimed at European diplomatic and government entities and delivered the PlugX malware.
This development prompted Microsoft to issue a formal guidance on CVE-2025-9491, reiterating its decision not to patch it and emphasizing that it does consider it a vulnerability “due to the user interaction involved and the fact that the system already warns users that this format is untrusted.”
0patch said the vulnerability is not just about hiding the malicious part of the command out of the Target field, but the fact that a LNK file “allows the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
