- Microsoft’s November 2025 Patch Tuesday fixed 63 bugs, including CVE-2025-9491 in Windows LNK files
- The flaw allowed attackers to hide malicious commands in shortcut files, enabling RCE attacks
- Exploited since 2017 by state-sponsored groups from China, Iran, North Korea and Russia; difficulty rated at 7.8/10
The November 2025 Patch Tuesday cumulative update fixed a vulnerability that hackers have been exploiting for years.
On November 12, Microsoft released a patch that addressed 63 vulnerabilities. Among them was a “Microsoft Windows LNK file UI misrepresentation” vulnerability that enabled Remote Code Execution (RCE) attacks via weaponized shortcut (.LNK) files.
According to the National Vulnerability Database (NVD), “crafted data in a .LNK file could cause dangerous content in the file to become invisible to a user inspecting the file through the Windows-provided user interface. An attacker could exploit this vulnerability to execute code in the context of the current user.”
Abused for years
In other words, the flaw lets attackers hide what the shortcut really does. When a victim right-clicks on the shortcut file to check its properties, Windows hides the file’s full path and commands it will run, making the file appear safe even when it isn’t.
The bug is now tracked as CVE-2025-9491 and has a severity score of 7.8/10 (high).
Cybercriminals turned to .LNK files years ago when Microsoft first banned the use of macros in downloaded Office files. More recently, Trend Micro’s Zero Day Initiative (ZDI) reported that the flaw was weaponized by 11 state-sponsored groups from China, Iran, North Korea, and Russia, who used it for cyberespionage, data theft, and fraud, apparently since 2017.
At first, Microsoft did not want to fix it, says Hacker News it wasn’t that big of a deal. It also said that the .LNK format is blocked in Outlook, Word, Excel, PowerPoint and OneNote, and whoever tried to run these files would receive a warning not to open documents from unknown sources.
But when several cybersecurity companies warned about the exploit and pointed out that state-sponsored attackers were also using the flaw, Microsoft decided to fix it.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
