Microsoft Patches Decade-Old Windows LNK Vulnerability Exploited by State Actors

Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

Microsoft has resolved CVE-2025-9491, a Windows Shortcut (LNK) file vulnerability exploited by state-sponsored actors since 2017, via its November 2025 Patch Tuesday updates. The flaw allowed malicious LNK files to execute code covertly by truncating long command strings in the Properties dialog.

Why This Matters

The vulnerability exposed a critical gap between ideal security models and real-world user behavior. While Windows warns users about untrusted LNK files, attackers exploited the 260-character truncation limit in the Properties dialog to hide malicious commands. This allowed state groups to execute code undetected for years, highlighting the risks of relying solely on user warnings without technical mitigations. The flaw was linked to espionage campaigns targeting governments and financial institutions, with potential costs measured in data breaches and geopolitical risks.

Key Insights

• “CVE-2025-9491 (CVSS 7.8): Windows LNK file UI misinterpretation vulnerability” (NIST NVD, 2025)
• “Crafted LNK files truncate malicious commands beyond 260 characters, hiding execution risks” (ACROS Security, 2025)
• “0patch’s micropatch warns users of LNK files exceeding 260 characters” (0patch, 2025)
• “Exploited by 11 state-sponsored groups since 2017, including XDSpy and China-affiliated actors” (Trend Micro ZDI, 2025)

Practical Applications

• Use Case: Government entities targeted by PlugX malware via LNK files disguised as documents
• Pitfall: Relying on user warnings without truncation fixes leaves systems vulnerable to covert execution

References:

• https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-9491
• https://www.zdi.com/zdi-cve-2025-9491