PT-2025-34796 · Microsoft · Windows

Published

2025-03-18

·

Updated

2026-07-03

·

CVE-2025-9491

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Microsoft Windows (affected versions not specified)
Description This issue is a remote code execution flaw in the handling of .LNK (shortcut) files. It allows attackers to execute arbitrary code in the context of the current user if a target opens a specially crafted malicious file or visits a malicious page. The flaw stems from a UI misrepresentation where attackers can pad the Target field with whitespace characters, concealing malicious PowerShell or batch commands beyond the first 260 characters displayed in the file properties interface. This makes hazardous content invisible to users inspecting the file.
Real-world exploitation has been observed since 2017, involving at least 11 state-sponsored APT groups and cybercrime gangs (including Evil Corp, APT37, APT43, and Mustang Panda). Targets have included government agencies, financial institutions, and diplomatic structures in the EU, Russia, Brazil, Kazakhstan, and Serbia. Attackers often distribute these files via spear-phishing emails, frequently concealed within ZIP archives, to deploy malware such as the PlugX RAT and BusySnake Stealer.
Recommendations Apply the Microsoft security updates released in November 2025 to ensure full visibility of the Target field in .LNK file properties. Block .LNK files at the network perimeter. Monitor for anomalous PowerShell executions initiated via .LNK files. Control and monitor for DLL side-loading in legitimate processes. Analyze outbound connections to CloudFront CDN for potential C2 activity.

Exploit

Fix

RCE

UI Misrepresentation of Critical Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2025-13635
CVE-2025-9491
ZDI-25-148

Affected Products

Windows