- Microsoft quietly fixed a security vulnerability exploited since 2017 in November 2025 updates.
- The issue, CVE-2025-9491, involves a Windows Shortcut (LNK) file flaw enabling remote code execution.
- The vulnerability hides malicious commands in LNK files by truncating long strings in the properties view.
- Several state-sponsored groups used this flaw for espionage and Malware delivery campaigns.
- Microsoft now displays the full command in LNK file properties to prevent this exploit.
Microsoft addressed a long-exploited security vulnerability as part of its November 2025 Patch Tuesday updates. The flaw, identified as CVE-2025-9491, affected Windows Shortcut (LNK) files and has been exploited by threat actors since 2017.
This vulnerability allowed attackers to craft .LNK files that misled users by hiding malicious commands in the file’s properties interface. According to the NIST National Vulnerability Database (NVD), a carefully designed LNK file could execute code with the current user’s privileges while appearing benign due to concealed harmful content.
The flaw revolves around the LNK file’s Target field, which supports very long strings of up to 32,000 characters, but Windows’ properties dialog only displayed the first 260 characters. This limitation allowed malicious instructions beyond that length to remain invisible to users inspecting the file, often disguised as harmless documents.
Reports dating back to March 2025 revealed that 11 state-sponsored groups from China, Iran, North Korea, and Russia leveraged this vulnerability for data theft, espionage, and financial gain. Despite early warnings, Microsoft initially chose not to patch it immediately, citing existing user warnings on opening LNK files from unknown sources and user interaction requirements.
Following further abuse by a cyber espionage group named XDSpy and later campaigns delivering malware like PlugX targeting European diplomatic entities, the company issued official guidance on the vulnerability but maintained its position. However, the November 2025 update silently fixed the issue by changing the properties dialog to show the entire Target command line, regardless of length, thus preventing the attack vector.
A micropatch developed by ACROS Security’s 0patch offered an alternate solution by warning users when opening files exceeding 260 characters in the Target field. The patch and the official update aim to mitigate this longstanding risk by improving visibility of hidden commands in LNK files.
Microsoft’s security advisory and the technical details of the fix can be found on their security update guide. Further discussion on the vulnerability and its exploitation history was published by ACROS Security’s 0patch blog.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BlackRock Warns US Debt Spurs Crypto Rise, Bonds Bearish in 2026
- Tesla’s EU Registrations Drop 48% as BEV Market Surges 58%
- BNB Surges 13%, Eyes $1,000 as Bullish Patterns Align
- AMD Stock Soars to $215 on AI Push, Targeting $290 by 2026
- Bitcoin’s Daily Trading Volume Tops $100B, Surpassing Big Tech
