Microsoft Quietly Patches LNK Vulnerability That's Been Weaponized for Years

The abuse of Windows shortcut (.LNK) files dates back to the early 2010s, when attackers sought alternatives after Microsoft curtailed macro execution in Office documents. Shortcut files are ubiquitous, automatically generated by the OS, and can launch arbitrary commands when opened. Their innocuous appearance makes them ideal for social engineering, allowing threat actors to embed malicious payloads that bypass traditional email filters and user scrutiny. Over the years, cyber‑espionage groups refined this technique, turning LNK files into a reliable delivery mechanism for stealthy ransomware and data‑exfiltration tools.

CVE‑2025‑9491 exploits a UI misrepresentation bug that hides the true execution path of a shortcut. When a victim inspects the file’s properties, Windows masks the underlying command line, presenting a benign target while the hidden payload runs with the user’s privileges. The National Vulnerability Database rates the flaw 7.8 out of 10, reflecting its high impact and ease of exploitation. Intelligence reports link the vulnerability to at least eleven state‑backed groups, which have leveraged it for targeted espionage campaigns across multiple sectors, from defense to finance, since 2017. The long‑term weaponisation underscores a gap in Microsoft’s vulnerability management that persisted for nearly a decade.

Microsoft’s November 2025 patch not only resolves CVE‑2025‑9491 but also bundles fixes for 62 other weaknesses, signaling a broader effort to harden the Windows attack surface. Enterprises should prioritize deployment of the cumulative update, verify that legacy shortcut handling is disabled where feasible, and employ application control solutions that flag anomalous .LNK activity. The remediation restores confidence in Windows as a secure platform and highlights the importance of rapid patch adoption, especially for vulnerabilities that have been silently exploited by nation‑state actors for years.