Microsoft has finally addressed a long-standing and widely exploited security flaw in Windows shortcut (.lnk) files, tracked as CVE-2025-9491, after initially dismissing it as a low-severity issue. The vulnerability allowed attackers to craft malicious shortcuts that concealed harmful command-line arguments using whitespace padding, making the „Target” field appear blank or benign when viewed in Windows Properties. This deception enabled hidden code execution simply by a user opening the shortcut, a technique leveraged since at least 2017 by nearly a thousand malicious samples. Researchers identified 11 state-sponsored groups from North Korea, Iran, Russia, and China, alongside cybercriminal networks, using this method for espionage and data theft, highlighting its appeal for stealthy attacks.
The urgency for a fix intensified following an October 2025 disclosure by Arctic Wolf Labs, which detailed a campaign by the China-linked espionage group UNC6384 (Mustang Panda) targeting European diplomatic entities. Attackers sent spear-phishing emails disguised as NATO or European Commission workshop invitations, containing the malicious shortcuts. Once opened, hidden commands executed obfuscated PowerShell scripts, leading to a multi-stage payload that deployed the PlugX remote access trojan via DLL sideloading. This provided persistent, stealthy access, underscoring the .lnk format’s effectiveness in bypassing email filters while enabling full remote code execution through social engineering.
Despite initial resistance, Microsoft silently patched the flaw in its November 2025 Patch Tuesday updates, modifying the Windows Properties dialog to reveal full commands and nullify the obfuscation trick. However, the company had previously argued the flaw didn’t qualify as a vulnerability, citing Microsoft Defender detections and Smart App Control protections. In a statement, Microsoft emphasized ongoing improvements to user experience and advised caution with files from unknown sources, particularly when security warnings appear. This belated mitigation follows years of exploitation, leaving potentially compromised systems unpatched and at risk until fully updated.
For defenders, the patch doesn’t eliminate the threat, as unupdated systems remain vulnerable, and historical exploitation suggests lingering compromises. The episode highlights the persistent risk of seemingly innocuous file formats in sophisticated attacks, reinforcing the need for vigilant patch management and user education against social engineering tactics.
Ez a cikk a Neural News AI (V1) verziójával készült.
Forrás: https://www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/.