In mid‑2025, the security community learned that Microsoft had quietly changed how Windows handles LNK shortcut files, effectively cutting off one of the most actively abused attack vectors in the ecosystem: CVE-2025-9491. By that time, at least 11 threat groups — from North Korean state‑linked APTs to cybercrime gangs such as Evil Corp — had already been exploiting the issue in real‑world operations. The case is notable because Microsoft for a long period did not treat the behavior as a full‑fledged vulnerability.
What Is CVE-2025-9491 in Windows LNK Shortcuts?
A Windows LNK shortcut is a small file that stores the path to an executable (the Target) and optional command‑line arguments. The vulnerability CVE-2025-9491 is tied to how Windows displays the Target field in the shortcut’s properties.
In the graphical interface, Windows shows only the first 260 characters of the Target string. Any characters beyond that limit are not visible to the user in the Properties dialog.
Attackers turned this display limitation into a covert channel for hiding malicious arguments. They crafted LNK files where the visible portion of the Target contained spaces or a harmless‑looking command, while the dangerous arguments were placed beyond the 260‑character boundary. When a user inspected the shortcut, the path appeared legitimate. However, a double‑click executed the full command line, including the hidden arguments, resulting in the silent launch of malware payloads.
How Threat Actors Weaponized the Windows LNK Vulnerability
According to analysis by Trend Micro, by the time CVE‑2025‑9491 was identified, it had been leveraged by at least 11 distinct threat groups. These included North Korean APTs APT37 and APT43 (Kimsuky), as well as Mustang Panda, SideWinder, RedHotel, Konni, Bitter, and the financially motivated group Evil Corp. The broad adoption demonstrates that the weakness appealed to both state‑sponsored actors and profit‑driven criminals.
Campaigns using this LNK exploit delivered a range of payloads and loaders, including the Ursnif banking trojan, Gh0st RAT for remote access, Trickbot, and other tools commonly distributed under a malware‑as‑a‑service (MaaS) model. This significantly lowered the entry barrier: less sophisticated groups could rent tooling and infrastructure from operators instead of developing their own exploitation chains.
Mustang Panda’s 0‑day Use of CVE-2025-9491
Reports from Arctic Wolf and StrikeReady highlighted that the Chinese‑linked group Mustang Panda likely used the LNK issue as a 0‑day vulnerability — exploiting it before public disclosure or vendor mitigation. Their operations reportedly targeted European diplomats and government entities in Hungary, Belgium, and other EU states.
Through malicious LNK files, Mustang Panda deployed the PlugX remote access trojan (RAT), a tool frequently associated with long‑term espionage and persistent footholds inside victim networks. This illustrates how a simple UI quirk in Windows could be chained into sophisticated, strategically motivated intrusions.
Microsoft’s Response and the Silent Change in LNK Handling
Trend Micro researchers notified Microsoft about the active exploitation of CVE‑2025‑9491 in March 2025. Microsoft responded that it would “consider” a fix, indicating that the scenario did not at that time meet its criteria for an immediate security patch.
By November 2025, Microsoft further clarified its stance, arguing that the behavior should not be classified as a vulnerability in the strict sense, because it required user interaction and Windows ostensibly warned users about running potentially unsafe files downloaded from the internet.
In practice, researchers pointed out a critical weakness in this argument: many campaigns combined the LNK trick with other Windows flaws that allowed attackers to bypass the Mark of the Web (MotW) — the mechanism that tags files from untrusted origins. Once MotW was removed or bypassed, users saw no security prompts, and the malicious LNK files appeared to be ordinary local files.
After the June 2025 cumulative updates, researchers including Acros Security’s founder Mitja Kolsek observed that Microsoft had quietly changed LNK handling. Windows now shows the entire Target string in the shortcut properties, not just the first 260 characters. This change rolled out gradually and was not highlighted in a dedicated security bulletin.
However, this adjustment is not a complete fix. The hidden arguments are still present in the file and will still execute when the shortcut is launched. Windows also does not display a dedicated warning when a Target string is unusually long. The risk is mitigated — especially for users who actively inspect file properties — but not fully eliminated, particularly in well‑crafted social‑engineering scenarios.
0patch Micro‑Patch: Additional Mitigation for CVE‑2025‑9491
In response, Acros Security released an unofficial micro‑patch via the 0patch platform. Their mitigation strictly enforces a 260‑character limit on the Target field in LNK files and alerts users when a shortcut with an abnormally long Target is executed.
The micro‑patch is marketed as an interim solution pending a comprehensive vendor fix. It is available to 0patch customers on PRO and Enterprise plans and supports a broad range of systems: from Windows 7 through Windows 11 22H2 and server editions from Windows Server 2008 R2 through Windows Server 2022.
Risk Assessment and Best Practices to Defend Against LNK Attacks
The exploitation of CVE‑2025‑9491 underscores how seemingly cosmetic interface limitations can evolve into reliable attack vectors. The core of the technique is social engineering: users see a shortcut that looks like a document or legitimate application, trust the visible Target path, and unknowingly execute concealed malicious parameters.
Organizations and individual users can reduce exposure to Windows LNK attacks by adopting a layered defense strategy:
- Apply all current Windows and Office security updates to reduce the number of exploitable bugs that can be chained with LNK abuse, including MotW bypasses.
- Filter or block LNK files in email and messaging channels, especially within inbound mail gateways and secure email gateways (SEG).
- Enforce Application Control (e.g., AppLocker, WDAC) to block execution of shortcuts and executables from Downloads, temporary folders, and untrusted network shares.
- Deploy EDR solutions capable of detecting suspicious process trees (for example, Office documents or archive utilities spawning cmd.exe or powershell.exe via LNK files).
- Strengthen user awareness training, emphasizing that shortcuts received via email, archives, or messaging platforms are high‑risk and should be treated like executables.
- Harden endpoints by limiting the use of script interpreters (PowerShell, wscript, cscript) to administrative accounts and logging their activity for anomaly detection.
The story of CVE‑2025‑9491 is a reminder that even minor UI behaviors can have strategic security implications when combined with social engineering and other bugs. While Microsoft’s silent change to LNK handling reduces some risk, organizations should not rely on a single control. A robust posture requires timely patching, strict policies around files from external sources, continuous monitoring, and a mature vulnerability‑management process. Reviewing controls around shortcut files and command‑line execution today will significantly reduce the likelihood that similar LNK‑based attacks succeed tomorrow.
