CVE-2025-9491

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to patchday August 2025 Description This issue is a remote code execution flaw in the Microsoft Windows shortcut (.LNK) handling mechanism. The vulnerability allows attackers to conceal malicious command-line arguments within .LNK files, making them invisible to standard Windows user interface tools. Exploitation involves crafting malicious .LNK files and delivering them through spearphishing emails, often themed around events like NATO workshops or EU Commission meetings. Successful exploitation can lead to the execution of arbitrary code in the context of the current user. The vulnerability has been actively exploited by multiple threat actors, including the China-linked group UNC6384, targeting European diplomatic entities in countries such as Hungary, Belgium, Italy, and Serbia. The PlugX remote access trojan (RAT) is frequently deployed as part of these attacks. It is estimated that this vulnerability has been exploited by at least 11 state-sponsored groups and cybercrime gangs since March 2025. The vulnerability allows attackers to bypass standard security measures and gain unauthorized access to sensitive information. The vulnerability is identified as ZDI-CAN-25373. Recommendations Restrict or block the use of Windows .LNK files. Monitor for anomalous PowerShell launches initiated through .LNK files. Control DLL side-loading of legitimate processes. Analyze outbound connections to CloudFront CDN.