Microsoft has silently patched a Windows shortcut vulnerability that threat actors have been exploiting since 2017 to hide malicious commands from users inspecting file properties.
The flaw, tracked as CVE-2025-9491, was addressed in Microsoft’s November 2025 Patch Tuesday updates but was not listed among the 63 officially patched vulnerabilities.
The vulnerability first came to public attention on March 18, 2025, when Trend Micro’s Zero Day Initiative published Advisory ZDI-25-148 alongside detailed research by Peter Girnus and Aliakbar Zahravi.
The researchers identified nearly 1,000 malicious Windows shortcut (.lnk) files exploiting this flaw across various offensive campaigns dating back to 2017.
The vulnerability allowed attackers to craft shortcut files that caused the Properties dialog to display only the first 260 characters of the Target field, effectively hiding malicious commands that exceeded this limit.
Microsoft initially declined to patch the issue after being notified in September 2024, stating it didn’t meet its servicing threshold.
The company maintained that existing security warnings for files downloaded from the Internet provided adequate protection through the Mark of the Web feature.
Active Exploitation Forces Reconsideration
The issue gained renewed urgency in late October 2025 when Arctic Wolf researchers published findings showing Chinese-affiliated threat actor UNC6384 actively exploiting the vulnerability to target Hungarian and Belgian diplomatic entities during September and October 2025.
The attackers deployed PlugX malware through weaponized LNK files that leveraged the UI misrepresentation flaw to conceal malicious PowerShell commands.
Despite the confirmed in-the-wild exploitation, Microsoft doubled down with Advisory ADV25258226, declaring that “due to the user interaction involved and the fact that the system already warns users that this format is untrusted, Microsoft does not consider this a vulnerability”.
The company emphasized that users receive warnings when opening files from the Internet, though this protection can be bypassed through known vulnerabilities.
Microsoft’s November 2025 security updates quietly modified how Windows displays LNK file properties. The Properties dialog now shows the entire Target command regardless of length, though the information remains in a single-line field that requires text selection and scrolling to view completely. This change was implemented without acknowledgment in the official patch documentation.
Security firm ACROS Security developed an alternative patch that takes a more aggressive approach. Their micropatch truncates any LNK file Target field exceeding 260 characters when opened through Windows Explorer and alerts users about the suspicious activity.
This solution is designed to block the 1,000+ malicious shortcuts identified by Trend Micro while preserving functionality for legitimate shortcuts created through standard Windows interfaces.
The vulnerability demonstrates the ongoing challenge of UI-based security issues, where sophisticated attackers weaponize users’ trust in the operating system’s user interface.
Security researchers recommend that organizations implement additional endpoint detection capabilities and security awareness training to recognize suspicious shortcut files, particularly those received via email or downloaded from untrusted sources.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
