""The specific flaw exists within the handling of .LNK files," according to a description in the NIST National Vulnerability Database (NVD). "Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user.""
"To trigger their execution, attackers could disguise the files as harmless documents. Details of the shortcoming first emerged in March 2025, when Trend Micro's Zero Day Initiative (ZDI) disclosed that the issue had been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns, some of which date back to 2017."
CVE-2025-9491 is a Windows Shortcut (.LNK) UI misinterpretation vulnerability with a CVSS score of 7.8/7.0 that can result in remote code execution. Crafted .LNK files can hide hazardous content from users by manipulating displayed properties and using whitespace characters to conceal malicious commands while appearing as harmless documents. Trend Micro's Zero Day Initiative reported exploitation by 11 state-sponsored groups from China, Iran, North Korea, and Russia, with some activity traced back to 2017. Microsoft applied a silent fix in the November 2025 Patch Tuesday updates and notes LNK files are blocked across several Office products.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]