Microsoft Mitigates Windows LNK Flaw Exploited as Zero-Day
Summary:
Microsoft has mitigated a high-severity Windows LNK vulnerability, CVE-2025-9491, which has been widely exploited as a zero-day by multiple state-sponsored groups (including Mustang Panda) and MaaS platforms, according to research from Trend Micro. This flaw allows attackers to hide malicious commands within LNK files, often distributed in ZIP archives. The core of the exploit involves padding the Target field of the .LNK file with whitespaces so that the malicious command-line arguments extend beyond the 260-character limit displayed in the file's properties. This helps trick users into double-clicking the file, leading to the execution of code, such as deploying malware like Trickbot, Ursnif, or PlugX RAT.
Microsoft initially dismissed the flaw as not meeting the bar for immediate servicing, claiming it wasn't a vulnerability due to the required user interaction and existing warnings that the format is untrusted (which threat actors could still bypass). However, the November updates included a quiet change that allows users to see all characters in the LNK file's Target field properties, effectively mitigating the obfuscation technique. ACROS Security CEO Mitja Kolsek asserts that this is not an adequate fix, as malicious arguments aren’t deleted, and the user receives no warning upon opening this file format when it has unusually large target strings. In response, ACROS Security released an unofficial micropatch via its 0patch platform to limit target strings and issue warnings, offering a more robust defense, especially for users on older or unsupported Windows versions.
Security Officer Comments:
Microsoft's mitigation of an actively exploited zero-day this December, despite initially declining to categorize it as a significant vulnerability, is a notable indicator of the vulnerability risk. While the change disrupts the current exploit, this third-party patch could be viable to mitigate this specific risk if necessary. This vulnerability reinforces the need for organizations to set strong internal controls against LNK files, especially in critical environments.
Suggested Corrections:
Recommendations from 0patch:
Our patch would break the 1000+ malicious shortcuts identified by Trend Micro for all targeted users, while Microsoft's patch would only allow the most cautious among these users - who would probably not launch such shortcuts anyway - to see the entire malicious command string. Even though malicious shortcuts could be constructed with fewer than 260 characters, we believe disrupting actual attacks detected in the wild can make a big difference for those targeted.
Micropatches were written for the following security-adopted Windows versions:
https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/
https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html
Microsoft has mitigated a high-severity Windows LNK vulnerability, CVE-2025-9491, which has been widely exploited as a zero-day by multiple state-sponsored groups (including Mustang Panda) and MaaS platforms, according to research from Trend Micro. This flaw allows attackers to hide malicious commands within LNK files, often distributed in ZIP archives. The core of the exploit involves padding the Target field of the .LNK file with whitespaces so that the malicious command-line arguments extend beyond the 260-character limit displayed in the file's properties. This helps trick users into double-clicking the file, leading to the execution of code, such as deploying malware like Trickbot, Ursnif, or PlugX RAT.
Microsoft initially dismissed the flaw as not meeting the bar for immediate servicing, claiming it wasn't a vulnerability due to the required user interaction and existing warnings that the format is untrusted (which threat actors could still bypass). However, the November updates included a quiet change that allows users to see all characters in the LNK file's Target field properties, effectively mitigating the obfuscation technique. ACROS Security CEO Mitja Kolsek asserts that this is not an adequate fix, as malicious arguments aren’t deleted, and the user receives no warning upon opening this file format when it has unusually large target strings. In response, ACROS Security released an unofficial micropatch via its 0patch platform to limit target strings and issue warnings, offering a more robust defense, especially for users on older or unsupported Windows versions.
Security Officer Comments:
Microsoft's mitigation of an actively exploited zero-day this December, despite initially declining to categorize it as a significant vulnerability, is a notable indicator of the vulnerability risk. While the change disrupts the current exploit, this third-party patch could be viable to mitigate this specific risk if necessary. This vulnerability reinforces the need for organizations to set strong internal controls against LNK files, especially in critical environments.
Suggested Corrections:
Recommendations from 0patch:
Our patch would break the 1000+ malicious shortcuts identified by Trend Micro for all targeted users, while Microsoft's patch would only allow the most cautious among these users - who would probably not launch such shortcuts anyway - to see the entire malicious command string. Even though malicious shortcuts could be constructed with fewer than 260 characters, we believe disrupting actual attacks detected in the wild can make a big difference for those targeted.
Micropatches were written for the following security-adopted Windows versions:
- Windows 11 v22H2 - fully updated
- Windows 11 v21H2 - fully updated
- Windows 10 v22H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
- Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
- Windows Server 2012 - fully updated with no ESU or ESU 1
- Windows Server 2012 R2 - fully updated with no ESU or ESU 1
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/
https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html