Microsoft has silently plugged a security flaw that has been exploited by several threat actors since 2017 as part of the company’s November 2025 Patch Tuesday updates, according to ACROS Security’s 0patch.
The vulnerability in question is CVE-2025-9491 (CVSS score: 7.8/7.0), which has been described as a Windows Shortcut (LNK) file UI misinterpretation vulnerability that could lead to remote code execution.
“The specific flaw exists within the handling of .LNK files,” according to a description in the NIST National Vulnerability Database (NVD). “Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user.”
In other words, these shortcut files are crafted such that viewing their properties in Windows conceals the malicious commands executed by them out of the user’s sight by using various “whitespace” characters. To trigger their execution, attackers could disguise the files as harmless documents.
Details of the shortcoming first emerged in March 2025, when Trend Micro’s Zero Day Initiative (ZDI) disclosed that the issue had been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns, some of which date back to 2017. The issue is also tracked as ZDI-CAN-25373.
At that time, Microsoft told The Hacker News that the flaw does not meet the bar for immediate servicing and that it will consider fixing it in a future release. It also pointed out that the LNK file format is blocked across Outlook, Word, Excel, PowerPoint, and OneNote, as a result of which any attempt to open such files will trigger a warning to users not to open files from unknown sources.
Subsequently, a report from HarfangLab found that the shortcoming was abused by a cyber espionage cluster known as XDSpy to distribute a Go-based malware called XDigo as part of attacks targeting Eastern European governmental entities, the same month the flaw was publicly disclosed.
Then, in late October 2025, the issue reared up a third time after Arctic Wolf flagged an offensive campaign in which China-affiliated threat actors weaponized the flaw in attacks aimed at European diplomatic and government entities and delivered the PlugX malware.
This development prompted Microsoft to issue a formal guidance on CVE-2025-9491, reiterating its decision not to patch it and emphasizing that it does consider it a vulnerability “due to the user interaction involved and the fact that the system already warns users that this format is untrusted.”
0patch said the vulnerability is not just about hiding the malicious part of the command out of the Target field, but the fact that a LNK file “allows the Target arguments to be a very long string (tens of thousands of characters), but the Properties dialog only shows the first 260 characters, silently cutting off the rest.”
This also means that a bad actor can create an LNK file that can run a long command, which would cause only the first 260 characters of it to be displayed to the user who viewed its properties. The rest of the command string is simply truncated. According to Microsoft, the file’s structure theoretically allows for strings of up to 32k characters.
The silent patch released by Microsoft addresses the problem by showing in the Properties dialog the entire Target command with arguments, no matter its length. That said, this behavior hinges on the possibility that there can exist shortcut files with more than 260 characters in their Target field.
0patch’s micropatch for the same flaw takes a different route by displaying a warning when users attempt to open an LNK file with over 260 characters.
“Even though malicious shortcuts could be constructed with fewer than 260 characters, we believe disrupting actual attacks detected in the wild can make a big difference for those targeted,” it said.
The Hacker News has reached out to Microsoft for comment, and will update the piece if we hear back from the company.
