Severity
High
Analysis Summary
Microsoft has quietly patched a long-standing Windows shortcut vulnerability, CVE-2025-9491, which has been actively exploited by threat actors since 2017. The flaw allowed attackers to craft malicious .lnk files that hid commands in the Target field by limiting visible characters in the Properties dialog to 260, effectively concealing malicious PowerShell commands. Although Microsoft addressed the issue in the November 2025 Patch Tuesday updates, it was not listed among the 63 officially patched vulnerabilities, leaving it largely unnoticed by the broader security community.
The vulnerability was first highlighted publicly on March 18, 2025. Researchers identified nearly 1,000 malicious LNK files exploiting this flaw across multiple campaigns. Initially, Microsoft declined to patch the vulnerability after notifications in September 2024, claiming it did not meet their servicing threshold and emphasizing that existing security mechanisms, such as the Mark of the Web feature, provided sufficient user warnings for downloaded files.
Renewed concern arose in late October 2025 when a Researcher reported that the Chinese-affiliated threat actor UNC6384 was actively exploiting the vulnerability to target Hungarian and Belgian diplomatic entities. The attackers deployed PlugX malware using LNK files that leveraged the UI misrepresentation flaw to conceal malicious commands. Despite confirmed in-the-wild exploitation, Microsoft maintained that the issue was not a vulnerability, citing user interaction requirements and existing warning mechanisms. Nevertheless, the November 2025 update modified how Windows displays LNK file properties, ensuring that the entire Target command is visible, though still in a single-line field requiring scrolling.
In response, ACROS Security released an alternative micropatch that aggressively truncates Target fields exceeding 260 characters and alerts users to suspicious activity. This approach addresses the 1,000+ malicious shortcuts identified by Trend Micro while preserving normal functionality for legitimate shortcuts. The incident underscores the persistent challenge of UI-based security flaws, where attackers exploit users’ trust in interface design. Security experts recommend organizations implement enhanced endpoint detection, security awareness training, and careful handling of shortcut files received via email or downloaded from untrusted sources.
Impact
- Gain Access
Indicators of Compromise
CVE
- CVE-2025-9491
Affected Vendors
Remediation
- Apply Microsoft’s November 2025 security updates to ensure LNK file properties display the full Target field.
- Consider deploying ACROS Security’s micropatch to truncate Target fields over 260 characters and alert users to suspicious shortcuts.
- Implement endpoint detection and response (EDR) solutions to identify and block malicious shortcut files.
- Educate users on the risks of opening shortcuts received via email or downloaded from untrusted sources.
- Restrict execution of PowerShell scripts from untrusted directories or files to limit exploitation of hidden commands.
- Monitor and audit LNK files in shared and user directories for abnormal or oversized Target fields.
- Enforce network and file access controls to reduce exposure to externally sourced shortcuts.
- Regularly update and patch Windows systems to minimize risk from similar UI-based vulnerabilities.
- Maintain awareness of threat actor activity, such as UNC6384 campaigns, and apply threat intelligence to block known attack vectors.