Key Takeaways: Critical Windows LNK flaw actively exploited by major threat groups for global malware attacks. Microsoft releases delayed patch after months of active zero-day abuse. Attackers used deceptive shortcut files to bypass security prompts and infect systems. Cybercriminals have been exploiting a critical flaw in Windows LNK (.lnk shortcut) files to deliver malware in targeted attacks worldwide. After months of active abuse, Microsoft has finally issued a fix for the zero-day in its November 2025 Patch Tuesday update . CVE-2025-9491 is a Windows Shell Link (.LNK) vulnerability that allows attackers to hide malicious commands without shortcut files by manipulating the file’s properties. This flaw creates a deceptive user interface where harmful payloads are concealed in the “Target” field using whitespace padding, which makes them appear harmless when inspected. How did attackers exploit the Windows LNK vulnerability? When a user opens such a crafted shortcut, the hidden command executes under their privileges, which enables malware installation or system compromise. While the exploitation requires user interaction, this vulnerability has been actively abused by multiple threat groups for espionage and malware delivery. “In all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment,” Microsoft explained . Trend Micro researchers first discovered this Windows LNK vulnerability in March 2025. It has been leveraged by at least 11 threat actor groups (including Evil Corp, APT37, Kimsuky, and Mustang Panda) to deliver malware such as Ursnif, Gh0st RAT, Trickbot, and PlugX. In one case, Mustang Panda used it in espionage campaigns targeting European diplomats. Why did Microsoft delay the patch? Microsoft initially decided against patching the CVE-2025-9491 vulnerability immediately. The company argued that this flaw required user interaction and that existing Windows warnings provided enough protection against cyberattacks. However, attackers quickly found ways to bypass these safeguards using a Mark-of-the-Web loophole that allowed malicious .LNK files to execute without triggering security prompts. After months of active exploitation, Microsoft has quietly rolled out a fix to address the Windows LNK vulnerability. Security recommendations for administrators To protect against CVE-2025-9491, it’s highly recommended that users should avoid interacting with suspicious .LNK files, especially those delivered inside compressed archives or from unknown sources. Organizations should enforce strict email and file filtering policies, disable shortcut file execution from untrusted locations, and educate employees about the risks of opening unexpected attachments. Additionally, administrators should apply Microsoft’s latest security updates on Windows machines as soon as possible. They should also enable advanced endpoint protection and monitor for abnormal shortcut file behavior within enterprise networks. Related Articles See all Windows Server Windows How to Map a Network Drive on Windows Michael Reinders Jan 14, 2026 DNS Windows How to Change DNS on Windows: A Step-by-Step Guide Michael Reinders Dec 02, 2025 Windows The Complete Guide to Windows Backup Michael Otey Aug 12, 2025 Security Windows Manage-Bde – BitLocker Drive Encryption from the Command Line Michael Reinders Last Updated: Oct 08, 2025 Windows Server Windows Unlocking the Power of Microsoft KMS: An Overview of Deployment and Usage Michael Reinders Apr 10, 2025 Windows Server Windows Fix Windows Update – The Ultimate Guide Michael Reinders Last Updated: Sep 17, 2025