- Microsoft’s November 2025 Patch Tuesday fixed 63 vulnerabilities, including CVE-2025-9491 in Windows LNK files
- The bug allows attackers to hide malicious commands in shortcut files, thus enabling RCE attacks.
- Exploited since 2017 by state-sponsored groups in China, Iran, North Korea and Russia; severity rated 7.8/10
The November 2025 Patch Tuesday cumulative update fixed a vulnerability that hackers had been exploiting for years.
On November 12, Microsoft released a patch fixing 63 vulnerabilities. Among them was a “Misrepresentation of Microsoft Windows LNK File UI” vulnerability that allowed remote code execution (RCE) attacks via weaponized shortcut (.LNK) files.
According to the National Vulnerability Database (NVD), “forged data in a .LNK file can make the dangerous contents of the file invisible to a user who inspects the file through the Windows-provided user interface. An attacker can exploit this vulnerability to execute code in the context of the current user.”
Abused for years
In other words, the bug allows attackers to hide what the shortcut actually does. When a victim right-clicks the shortcut file to check its properties, Windows hides the full path to the file and the commands it will execute, making the file appear safe even though it is not.
The bug is now tracked as CVE-2025-9491 and has a severity score of 7.8/10 (high).
Cybercriminals turned to .LNK files years ago, when Microsoft first banned the use of macros in downloaded Office files. More recently, Trend Micro’s Zero Day Initiative (ZDI) reported that the bug was being weaponized by 11 state-sponsored groups in China, Iran, North Korea, and Russia, who had been using it for cyberespionage, data theft, and fraud, apparently since 2017.
At first, Microsoft didn’t want to fix the problem, saying Hacker news it wasn’t that bad. It also said that the .LNK format is blocked in Outlook, Word, Excel, PowerPoint and OneNote and that anyone attempting to run these files would receive a warning not to open documents from unknown sources.
However, as several cybersecurity companies warned of such abuse and pointed out that state-sponsored attackers were also using the bug, Microsoft decided to patch it.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
