CVE-2025-9491

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions (affected versions not specified)

Description This issue is a remote code execution vulnerability in the handling of Windows LNK (shortcut) files. Attackers can craft malicious LNK files with hidden command-line arguments, exploiting a UI misrepresentation to conceal potentially harmful content. This allows attackers to execute code in the context of the current user when a user opens the malicious file. The vulnerability has been actively exploited since 2017 by multiple threat actors, including UNC6384 (a China-linked group), and APT groups from North Korea, Iran, Russia, and China. Real-world attacks have targeted European diplomats, using spear-phishing emails with malicious LNK files disguised as meeting invitations. These files deploy malware such as PlugX RAT through techniques like PowerShell obfuscation and DLL side-loading. The vulnerability involves whitespace padding in the 'Target' field of LNK files, allowing malicious commands to be hidden beyond the initially displayed 260 characters. The API Endpoint used in attacks involves the opening of malicious .LNK files. The vulnerable variable is the 'Target' field within the LNK file.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.