The long-standing Microsoft flaw, tracked as CVE-2025-9491, allowed cybercriminals to hide malicious commands from users inspecting files through Windows’ standard interface, but the tech giant never officially announced the fix.
The update claimed that the flaw had existed for eight years, and that Windows users had unknowingly lived with a security hole that nation-states exploited daily. However, State-sponsored hacking groups from Asian countries and the Middle East— China, Iran, North Korea, and Russia, respectively- have weaponised this Windows shortcut vulnerability since 2017.
That notwithstanding, Trend Micro’s Zero Day Initiative discovered that 11 different government-backed teams actively exploited the security hole, turning what should have been harmless shortcut files into dangerous attack vectors.
The vulnerability impacted the way Windows displays LNK (shortcut) files, allowing attackers to create harmful shortcuts that seemed entirely safe when users examined their properties. Security researchers discovered nearly 1,000 malicious shortcut files that exploited this vulnerability across offensive campaigns spanning eight years.
Microsoft’s reaction to this vulnerability highlights a troubling trend in the company’s approach to security priorities. When researchers initially reported the flaw, Microsoft stated that it “does not meet the bar for immediate servicing” and intended to address it in a future update rather than through urgent patches.
News: Imose Technologies Offer Freebies On New Tablet Devices
The flaw was deceptively straightforward: Windows displayed only the initial part of harmful commands, concealing the dangerous segments that followed. Security firm 0patch clarified that while LNK files can include very lengthy Target arguments, the Properties dialogue only reveals the first 260 characters, quietly obscuring everything else from users. Attackers could embed malicious PowerShell commands beyond that character limit, causing their shortcuts to seem legitimate during inspection.
Increasing evidence of widespread exploitation ultimately compelled Microsoft to act. The XDSpy cyber espionage group utilised the flaw to spread malware aimed at Eastern European government entities, while Chinese-affiliated threat actors weaponised it just last month to target European diplomatic offices with PlugX malware.
Just a month ago, attacks showcased this vulnerability’s alarming potential for espionage activities. The Chinese threat group UNC6384 executed a sophisticated campaign against European diplomatic entities throughout September and October, exploiting CVE-2025-9491 to deploy the infamous PlugX remote access trojan.
