Full Report
Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. [...]
Analysis Summary
# Vulnerability: Windows LNK File Target Field Overflow/Truncation Leading to Hidden Commands
## CVE Details
- CVE ID: CVE-2025-9491
- CVSS Score: High (Specific score not provided, but context implies high severity due to active exploitation)
- CWE: CWE-74 (Improper Neutralization of Special Elements used in an Operation Command ('Command Injection') - implied by the execution of hidden commands)
## Affected Systems
- Products: Microsoft Windows
- Versions: Not explicitly listed, but widely affecting supported versions given the scope of exploitation.
- Configurations: Applicable to systems where users open crafted LNK files.
## Vulnerability Description
The vulnerability resides in how Windows handles `.LNK` (Windows Shell Link) files. Attackers exploit this by padding the `Target` field within the LNK file with extensive whitespaces. Due to a display limitation, the file properties dialog only shows the first 260 characters of the `Target` field. This truncation mechanism allows sophisticated threat actors to hide malicious command-line arguments that execute upon double-clicking the LNK file, bypassing user scrutiny of the short displayed target path.
## Exploitation
- Status: Exploited in the wild (used by multiple state-sponsored groups and cybercrime gangs).
- Complexity: Medium (Requires crafting a malicious LNK file and tricking a user into opening it, often via archives).
- Attack Vector: Local (Requires user interaction to launch the file).
## Impact
- Confidentiality: High (Implied, as malware/RATs like PlugX, Ursnif, Trickbot are deployed).
- Integrity: High (Implied, as malware execution can alter system state).
- Availability: Medium to High (Depends on the deployed payload).
## Remediation
### Patches
- **Official Microsoft Mitigation:** Microsoft silently changed the behavior in November updates.
- **Effect:** Users now see all characters in the Target field when checking the LNK file Properties, rather than just the first 260 characters.
- **Limitation:** This is described as a mitigation, not a full fix. Malicious arguments are not deleted, and users still receive no warning when opening LNK files with Target strings exceeding the previous display limit.
- **Unofficial Patch (0patch):** ACROS Security has released a micropatch.
- **Function:** Limits all shortcut target strings to 260 characters and warns users about unusually long target strings to disrupt detected attacks.
- **Availability:** Available for 0patch PRO/Enterprise users across supported Windows versions (Windows 7 through Windows 11 22H2, Server 2008 R2 through Server 2022).
### Workarounds
- No specific traditional workarounds (like registry edits or disabling components) were detailed, as Microsoft's step focused on changing the display behavior. The primary mitigation involves user education regarding opening LNK files, especially those received outside trusted sources.
## Detection
- **Indicators of Compromise:** Successful exploitation results in the deployment of various payloads, including Ursnif, Gh0st RAT, and Trickbot, or specific implants like PlugX RAT.
- **Detection Methods and Tools:** Monitoring for unauthorized execution stemming from LNK file interactions. Security products should specifically watch for unexpected command execution paths masked within LNK file properties, though the mitigation should make these targets visible post-update.
## References
- [Trend Micro Report on Exploitation](http://documents.trendmicro.com/assets/txt/Figure-1-Data---ZDI-CAN-25373-blogcU9ZZ2p.txt)
- [MSRC Advisory for context on Microsoft's stance regarding user interaction](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41049) (Note: CVE-2025-9491 is the focus, CVE-2022-41049 mentioned in relation to Microsoft's previous advisory on the topic.)
- [ACROS Security/0patch Mitigation Details](https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html)
- [0patch Unofficial CVE-2025-9491 Patch Link](https://0patch.com/patches.html)