PT-2025-34796 · Microsoft · Windows
Published
2025-03-18
·
Updated
2026-07-03
·
CVE-2025-9491
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Microsoft Windows (affected versions not specified)
Description
This issue is a remote code execution flaw in the handling of .LNK (shortcut) files. It allows attackers to execute arbitrary code in the context of the current user if a target opens a specially crafted malicious file or visits a malicious page. The flaw stems from a UI misrepresentation where attackers can pad the
Target field with whitespace characters, concealing malicious PowerShell or batch commands beyond the first 260 characters displayed in the file properties interface. This makes hazardous content invisible to users inspecting the file.Real-world exploitation has been observed since 2017, involving at least 11 state-sponsored APT groups and cybercrime gangs (including Evil Corp, APT37, APT43, and Mustang Panda). Targets have included government agencies, financial institutions, and diplomatic structures in the EU, Russia, Brazil, Kazakhstan, and Serbia. Attackers often distribute these files via spear-phishing emails, frequently concealed within ZIP archives, to deploy malware such as the PlugX RAT and BusySnake Stealer.
Recommendations
Apply the Microsoft security updates released in November 2025 to ensure full visibility of the
Target field in .LNK file properties.
Block .LNK files at the network perimeter.
Monitor for anomalous PowerShell executions initiated via .LNK files.
Control and monitor for DLL side-loading in legitimate processes.
Analyze outbound connections to CloudFront CDN for potential C2 activity.Exploit
Fix
RCE
UI Misrepresentation of Critical Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Windows