NewForTech

Home » Latest » Security » State-sponsored hackers have been exploiting this LNK vulnerability for years, and Microsoft just fixed it.

State-sponsored hackers have been exploiting this LNK vulnerability for years, and Microsoft just fixed it.

0 hits

State-sponsored hackers have been exploiting this LNK vulnerability for years, and Microsoft just fixed it.
2 minutes

Written by

Tech Insider (NewForTech Editorial Team)

in

  • Microsoft’s November 2025 Patch Tuesday fixed 63 bugs, including CVE-2025-9491 in Windows LNK files
  • This flaw allows attackers to hide malicious commands in link files, enabling RCE attacks.
  • Since 2017, operated by state-sponsored groups from China, Iran, North Korea and Russia; Rated gravity 7.8/10

The November 2025 Patch Tuesday cumulative update fixes a vulnerability that hackers have been exploiting for years.

On November 12, Microsoft released a patch that fixes 63 vulnerabilities. This included a vulnerability known as Microsoft Windows LNK File User Interface Misrepresentation, which allowed Remote Code Execution (RCE) attacks via crafted shortcut (.LNK) files.

According to the National Vulnerabilities Database (NVD), “manipulated data in a .LNK file could make the malicious content of the file invisible to a user viewing the file through the Windows user interface. An attacker could exploit this vulnerability to execute code in the context of the current user.”

Overused for years

In other words, the flaw allows attackers to hide what the shortcut actually does. When a victim right-clicks the shortcut file to check its properties, Windows hides the full path to the file and the commands to run, making the file appear safe even though it isn’t.

The bug is now tracked as CVE-2025-9491 and has a severity rating of 7.8/10 (high).

Cybercriminals started using .LNK files several years ago, when Microsoft first banned the use of macros in downloaded Office files. More recently, Trend Micro’s Zero Day Initiative (ZDI) reported that the flaw appears to have been weaponized since 2017 by eleven state-sponsored groups from China, Iran, North Korea, and Russia, which are using it for cyberespionage, data theft, and fraud.

At first, Microsoft didn’t want to solve the problem, they say hacker news It wasn’t that bad. It also said that the .LNK format has been blocked in Outlook, Word, Excel, PowerPoint and OneNote, and that anyone trying to run these files will be warned not to open documents from unknown sources.

Although several cybersecurity companies warned of such exploits, noting that state-sponsored attackers were also exploiting the flaw, Microsoft took steps to patch it.

IN hacker news