CVE-2025-9491

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to November 2025 updates

Description This issue is a remote code execution vulnerability in Microsoft Windows related to the handling of LNK (shortcut) files. The vulnerability stems from a flaw in how Windows displays the contents of the 'Target:' field in the LNK file properties. Attackers can craft malicious LNK files with hidden commands embedded within the 'Target:' field, using whitespace to conceal them. This allows attackers to execute arbitrary code in the context of the current user when a user opens the malicious file. The vulnerability has been actively exploited since 2017 by multiple threat actors, including UNC6384 (a China-linked group), and has been used in attacks targeting European diplomats and governmental institutions. These attacks involve spear-phishing emails containing malicious LNK files that deploy malware such as PlugX RAT. The vulnerability was initially reported to Microsoft in March 2025, but Microsoft initially declined to address it, citing a lack of immediate risk. However, Microsoft silently mitigated the vulnerability in the November 2025 updates by ensuring that the full contents of the 'Target:' field are displayed in the file properties. The vulnerability is also known as ZDI-CAN-25373.

Recommendations Apply the November 2025 updates to mitigate the vulnerability. Restrict or block the use of Windows .LNK files. Monitor for anomalous PowerShell launches triggered by LNK files. Implement robust email filtering to detect and block malicious LNK file attachments. Enhance user awareness training regarding the risks associated with opening LNK files from untrusted sources.