- Microsoft’s November 2025 Patch Tuesday fixed 63 flaws, including CVE-2025-9491 in Windows LNK files
- The bug allowed attackers to hide malicious commands in shortcut files, enabling RCE attacks
- Exploited since 2017 by state-sponsored groups from China, Iran, North Korea and Russia; severity rated 7.8/10
The November 2025 Patch Tuesday cumulative update fixed a vulnerability that hackers have been exploiting for years.
On November 12, Microsoft released a patch that fixed 63 vulnerabilities. Among them was a “Microsoft Windows LNK File UI Manipulation” vulnerability that allowed remote code execution (RCE) attacks via crafted shortcut (.LNK) files.
According to the National Vulnerability Database (NVD), “crafted data in a .LNK file can make the file’s dangerous content invisible to a user who inspects the file through the user interface provided by Windows. An attacker can exploit this vulnerability to execute code in the context of the current user.”
Abused for years
In other words, the bug allows attackers to hide what the shortcut actually does. When a victim right-clicks the shortcut file to check its properties, Windows hides the full path of the file and the commands to be executed, making the file appear safe even when it is not.
The bug is now tracked as CVE-2025-9491 and has a severity score of 7.8/10 (high).
Cybercriminals turned to .LNK files years ago, when Microsoft first banned the use of macros in downloaded Office files. In more recent times, Trend Micro’s Zero-Day Initiative (ZDI) reported that the bug was being weaponized by 11 state-sponsored groups from China, Iran, North Korea, and Russia, who were using it for cyberespionage, data theft, and fraud, apparently since 2017.
At first, Microsoft did not want to fix it, counting Hacker News It wasn’t a big deal. It also said that the .LNK format is blocked in Outlook, Word, Excel, PowerPoint and OneNote and anyone trying to run these files would receive a warning not to open documents from unknown sources.
However, since several cybersecurity companies warned about the abuse and noted that state-sponsored attackers were also using the bug, Microsoft decided to fix it.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
