Unpatched Windows Shortcut Vulnerability Let Attackers Execute Remote Code

Security researcher Nafiez has publicly disclosed a previously unknown vulnerability affecting Windows LNK files (shortcuts) that can potentially allow attackers to execute code remotely without user interaction. Despite releasing a working proof-of-concept (PoC), Microsoft has declined to patch the flaw, stating it “does not meet their security bar for servicing”.

The discovered flaw involves a sophisticated attack vector that leverages specific elements within Windows shortcut files’ structure. By crafting malicious LNK files with manipulated EnvironmentVariableDataBlock and UNC paths, attackers can trigger silent network connections when a user simply opens a folder containing the malicious shortcut.

“When user access[es] a folder that has the LNK file, the Explorer will parse any files stored in the folder… this is where the initialization of the file gets ready [to be] called/executed,” Nafiez explained in the technical analysis.

This vulnerability is particularly concerning because it doesn’t require the user to actually click on the shortcut-merely browsing a directory containing the malicious LNK file is sufficient to initiate the attack.

PoC Details Released

The exploit works by manipulating several key elements within the LNK file structure:

• Setting the HasArguments flag and EnvironmentVariableDataBlock to control execution flow
• Embedding a UNC path (e.g., 192.168.44.128c) as a target
• Setting specific BlockSize and signature values to control LNK file behavior

Windows Explorer processes these specially crafted files through a chain of COM interfaces, including IInitializeNetworkFolder and IShellFolder2, which handle network resources. This processing begins automatically when a folder is accessed, creating an opportunity for silent execution.

Microsoft has justified their decision not to patch this vulnerability by arguing that their Mark of the Web (MOTW) security feature provides adequate protection.

MOTW is a digital tag placed on downloaded files that could potentially be malicious, triggering security warnings before execution.

This response echoes Microsoft’s approach to previous LNK vulnerabilities. According to their security servicing criteria, Microsoft addresses vulnerabilities only if they “violate the goal or intent of a security boundary or security feature” and meet their severity threshold for servicing.

“Once you compile the code, run the executable to generate LNK file and make sure to run Responder tool to capture NTLM Hash,” researcher Nafiez said.

Security experts express concern that relying solely on MOTW may be insufficient, as there are known bypass techniques. Researchers at Elastic Security Labs recently uncovered a technique called “LNK stomping” that has been used by threat actors for at least six years to bypass MOTW controls.

This is not the first time LNK files have been exploited. Microsoft has previously addressed critical vulnerabilities in LNK files, including a remote code execution flaw in 2017 and another in 2010 that was actively exploited.

LNK files have become an increasingly popular attack vector for threat actors. As security researchers from Intezer note, “LNK files (aka Windows shortcuts) may seem simple, but threat actors can use them to execute other binaries and inflict great harm”.

The publicly available proof-of-concept code heightens concerns that this vulnerability could soon be weaponized by threat actors in real-world attacks.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.