Microsoft patches exploited LNK file vulnerability

Microsoft has quietly addressed a long-standing LNK file flaw exploited by threat actors to execute malicious code, prompting industry-wide mitigation efforts amid ongoing targeted attacks on diplomatic and aviation sectors.

Microsoft has quietly moved to close a long-exploited weakness in the way Windows handles shortcut (.LNK) files, a flaw tracked as CVE-2025-9491 that has been weaponised by state and criminal actors to execute code on targeted machines. According to the original report, attackers hide malicious command-line arguments inside the Target field of LNK files by padding with whitespace so the dangerous portion remains invisible in the Windows UI. ^[1][2][3]

Security researchers say the bug enables a straightforward, user‑driven remote code execution: when a victim opens or interacts with a crafted shortcut, the concealed arguments are processed and arbitrary commands run in the context of the current user. Industry data shows the vulnerability requires user interaction but has nevertheless been abused repeatedly in targeted campaigns. ^[3][5][7]

Multiple threat‑intelligence teams have observed wide-ranging exploitation. Trend Micro and other analysts attribute usage to at least a dozen groups , from financially motivated gangs to state‑linked APTs , delivering payloads such as Ursnif, Gh0st RAT, Trickbot and PlugX. Reports indicate campaigns have targeted diplomatic and aviation entities across several European countries, often via spear‑phishing and archive attachments themed around official workshops and meetings. ^[1][2][4][6]

Technical analysis pins the root cause on how Windows truncates or hides characters in the Target field (the 260‑character legacy limit and visual truncation), which attackers exploit by inserting whitespace padding to conceal malicious arguments. The technique is catalogued under common TTPs including defence evasion, user execution and persistence, and is associated with obfuscated command arguments and registry or startup persistence mechanisms. ^[1][4]

Microsoft implemented a mitigation in its November security updates that alters how LNK targets are displayed, making the full Target field visible in the UI. According to coverage of the patch release, the change was rolled out quietly after months of public pressure; Microsoft initially described the issue as not meeting servicing criteria, then released fixes as part of the monthly update cycle. The vendor also recommends using Defender detections and Smart App Control where applicable. ^[2][6]

Third‑party mitigations and micro‑patches have appeared while vendor fixes were being prepared. For example, micropatching platforms and some security vendors released temporary measures that limit visible shortcut target lengths and warn users about suspicious shortcuts. Security teams are urged to combine such measures with user education, archive handling policies, and behavioural endpoint protections that can detect LNK‑borne malicious actions. ^[1][5]

Organisations should assume active exploitation and take a layered approach: apply available Microsoft updates, deploy detection rules for suspicious LNK activity, harden inbox and archive handling, enforce least privilege to reduce impact of user‑context execution, and consider micro‑patches or temporary mitigations where immediate vendor fixes are not yet fully deployed. Government and industry telemetry suggests targeted espionage and fraud campaigns continue, underlining the need for rapid operational response. ^[1][2][4][6]

📌 Reference Map:

##Reference Map:

• ^[1] (Secpod blog) – Paragraph 1, Paragraph 2, Paragraph 4, Paragraph 6, Paragraph 7
• ^[2] (TechRadar) – Paragraph 1, Paragraph 3, Paragraph 5, Paragraph 7
• ^[3] (NVD) – Paragraph 1, Paragraph 2
• ^[4] (PT Security / dbugs) – Paragraph 3, Paragraph 4, Paragraph 7
• ^[5] (Enginsight) – Paragraph 2, Paragraph 6
• ^[6] (LinkedIn post / researcher notes) – Paragraph 3, Paragraph 5, Paragraph 7
• ^[7] (GitHub advisory) – Paragraph 2

Source: Fuse Wire Services