Headline
About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability
About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability. A vulnerability in the Microsoft Windows shortcut (.LNK) handling mechanism allows malicious command-line arguments to be hidden in the Target field using whitespace characters, making them invisible to standard tools. Opening such an LNK file may lead to arbitrary code execution. 🔻 Peter Girnus, an […]
About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability. A vulnerability in the Microsoft Windows shortcut (.LNK) handling mechanism allows malicious command-line arguments to be hidden in the Target field using whitespace characters, making them invisible to standard tools. Opening such an LNK file may lead to arbitrary code execution.
🔻 Peter Girnus, an expert at Trend Micro, notified Microsoft about the vulnerability on September 20, 2024, but they decided not to fix it. 🤷♂️ On August 26, 2025, this 0-day vulnerability (ZDI-CAN-25373) was assigned the identifier CVE-2025-9491.
👾 On March 18, 2025, Trend Micro reported that this vulnerability was exploited in APT attacks, and on October 30, Arctic Wolf Labs confirmed it was used to deploy PlugX malware against Hungarian and Belgian diplomatic missions.
🛠 The method for modifying .LNK files is described in the Trend Micro report.
На русском
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Related news
It’s been a week of chaos in code and calm in headlines. A bug that broke the internet’s favorite framework, hackers chasing AI tools, fake apps stealing cash, and record-breaking cyberattacks — all within days. If you blink, you’ll miss how fast the threat map is changing. New flaws are being found, published, and exploited in hours instead of weeks. AI-powered tools meant to help developers
Microsoft has silently plugged a security flaw that has been exploited by several threat actors since 2017 as part of the company's November 2025 Patch Tuesday updates, according to ACROS Security's 0patch. The vulnerability in question is CVE-2025-9491 (CVSS score: 7.8/7.0), which has been described as a Windows Shortcut (LNK) file UI misinterpretation vulnerability that could lead to remote
November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux. The usual monthly roundup. After several months, here’s a big one. 🔥 🗞 Post on Habr (rus)🗞 Post on SecurityLab (rus)🗒 Digest on the PT website (rus) A total of nine vulnerabilities: 🔻 RCE – Windows Server Update […]
A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025. The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a