Microsoft 'Mitigates' Windows LNK Flaw Exploited As Zero-Day

joshuark shares a report from BleepingComputer: Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Thus some element of social engineering, and user technically naive and gullibility such as thinking Windows is secure is required. [...]

As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others. Microsoft told BleepingComputer in March that it would "consider addressing" this zero-day flaw, even though it didn't "meet the bar for immediate servicing." ACROS Security CEO and 0patch co-founder Mitja Kolsek found, Microsoft has silently changed LNK files in the November updates in an apparent effort to mitigate the CVE-2025-9491 flaw. After installing last month's updates, users can now see all characters in the Target field when opening the Properties of LNK files, not just the first 260. As the movie the Ninth Gate stated: "silentium est aurum"

These vulnerabilities

[saloomy]

Should be immediately disclosed. Yes, it gives hackers an opportunity to learn about them, but it gives IT Sec admins the ability to mitigate them. As Tommy Lee Jones once said in the movie Volcano "I can only fight what I can see."

Re:

[bloodhawk]

They were disclosed, even microsoft disclosed it a month ago, though really this one isnt really a vulnerability, more if the user is dumb enough to ignore the OS security warns and run an untrusted lnk file anyway they could be in the shit, just like running random executables.

Pop up videos on /.

[Anonymous Coward]

I have pop up videos on my main /. page! Who's fucking idea was this?

Re:

[Big Hairy Gorilla]

me too.
the clock is ticking down on this site.
the whole internet actually, but this is one of the last few sites I still visit.
I'll miss you bunch of bad tempered opinionated jackasses.
but not very much

Re:

[MachineShedFred]

I don't, but I'm also not running Chrome. Firefox (and siblings) still allows the full uBlock Origin experience that makes all this crap go away by default.

Discover the Zen browser.

Re:

[_merlin]

I saw them a couple of times in Firefox, but it seem uBlock Origin has had its definitions updated.

Re:

[ArchieBunker]

Looks like Privacy Badger is at least preventing it from playing.

sigh Users

[awwshit]

https://msrc.microsoft.com/upd... [microsoft.com]

> Files that are typed .lnk are not deliverable over a browser and must be packaged into a .zip file first, then unzipped by the victim.

> Windows identifies shortcut files (.lnk) as a potentially dangerous file type. Attempting to open a .lnk file downloaded from the Internet automatically triggers a security warning advising users not to open files from unknown sources, and we strongly recommend heeding this warning.

> Double-clicking on a .lnk file produces a warning stating that the file format is not trusted; a victim must click through this prompt.

Why are we so easily socially engineered to do these things?

Re: sigh Users

[AvitarX]

I get most of those warnings opening Excel files from a corporate virtual machine that delivers our reporting. I doubt I'm the only person that has to do this.

The warnings are so omnipresent I imagine it's super easy to social engineer around them. Probably just tell people there's celebrity boobies to be seen or something.

Re:

[bloodhawk]

Then your corporate IT are incompetent, they should be settings up trusted locations internally so users are not getting warning for standard reports.

Re:

[Anonymous Coward]

Why are we so easily socially engineered to do these things?

Apparently you don't understand how many stupid people there are in the world. Really, really, seriously stupid.

Re:sigh Users

[MachineShedFred]

Chicken Little effect.

In the standard operation of Windows, you are presented with so many stupid permissions dialogs for shit that isn't a problem, that you reflexively approve on things that could be problems.

When everything tells you the sky is falling, you don't pay attention when the sky actually falls.

Re:

[jbmartin6]

The usual scam/con tactics to keep the victim out of slow thinking mode. A sense of urgency, and a sense that they already know what it is. users bypassing or ignoring warnings isn't surprising since many see similar warnings all the time and safely ignore them. Also, often a non-tech person often doesn't understand the implications of a particular warning.

Can't be fixed

[Hentes]

The attack is essentially tricking the user to click on a .lnk file that opens powershell with the malicious code passed as a parameter. The parameter was invisible when the user opened the properties of the .lnk. Not sure how this could be fixed without breaking functionality. They fixed the bug that allowed hiding the parameter, but most people never check what a .lnk points to before clicking on it anyway so I don't think that helps much.

Re:

[_merlin]

They already give you a big, scary warning if you try to open a .lnk file downloaded from the Internet. People do it anyway.

Re:

[bloodhawk]

99% of users have no fucking clue. You could tell them exactly what it is going to do to their computer and they would still click ok.