Windows LNK flaw CVE-2025-9491 gets partial fix from Microsoft

Microsoft is facing renewed scrutiny after quietly deploying a limited mitigation for a widely exploited Windows shortcut vulnerability tracked as CVE-2025-9491. The flaw, affecting how Windows processes .LNK files, has been abused for years by advanced persistent threat groups and cybercrime gangs to conceal malicious commands and deploy malware on victim systems.

The vulnerability stems from the way Windows handles the Target field inside shortcut files. Attackers can create shortcuts with extremely long command strings, sometimes tens of thousands of characters in length, and then pad the beginning of the string with whitespace or similar characters. In affected versions of Windows, the Properties dialog only displayed the first 260 characters of this Target field, effectively hiding the actual payload from the user even when they checked the shortcut’s properties.

This behavior allowed threat actors to disguise dangerous commands behind what appeared to be harmless content. Users who opened the Properties window saw what looked like an empty or benign command field, but double-clicking the shortcut executed the full hidden command string. This technique has been linked to the delivery of malware families such as Ursnif, Gh0st RAT, Trickbot and PlugX.

Security researchers from Trend Micro reported in March 2025 that they had observed close to a thousand malicious .LNK files abusing this behavior in campaigns dating back to 2017. At least eleven state-backed and financially motivated groups have been associated with the exploitation of CVE-2025-9491, including Evil Corp, APT37, Bitter, APT43, Mustang Panda, SideWinder, RedHotel and Konni. Arctic Wolf Labs later documented a campaign in which the Chinese-linked Mustang Panda group used the flaw in zero-day attacks targeting European diplomatic entities in countries such as Hungary and Belgium to distribute the PlugX remote access trojan.

Despite the clear evidence of widespread exploitation, Microsoft initially declined to treat the issue as a security vulnerability. The company argued that user interaction was required and that Windows already warns users when opening shortcut files originating from the internet, due to Mark of the Web protections. Security vendors pointed out that known Mark of the Web bypass techniques could be used to remove or evade these warnings, weakening this line of defense.

Pressure increased after CVE-2025-9491 was formally assigned and multiple security firms highlighted ongoing exploitation in the wild. In November 2025, Microsoft shipped an undocumented change in its monthly updates that altered how the Properties dialog displays shortcut targets. Instead of truncating the Target field at 260 characters, Windows now shows the entire command string, regardless of length. This change restores consistency between what the user interface displays and what the system actually executes.

However, experts note that this behavioral change is only a partial mitigation. Existing malicious shortcuts remain functional, and the operating system does not flag or block unusually long command strings. The updated interface still requires a user to manually scroll through or copy the Target field to inspect thousands of characters of text, which is unrealistic for most users in real-world scenarios. As a result, the risk of successful social engineering attacks remains high, particularly when shortcuts are disguised as documents or other familiar file types inside archives.

In response to these limitations, ACROS Security, the company behind the 0patch micropatch platform, developed its own unofficial fix for CVE-2025-9491. Rather than simply exposing the full command string, the 0patch solution enforces a strict limit on shortcut Target length when opened via Windows Explorer. If a .LNK file contains a Target longer than 260 characters, the micropatch truncates the command at 260 characters and displays a warning to the user that the shortcut has been shortened due to suspicious length.

This approach aims to break the current wave of malicious shortcuts observed in the wild, most of which rely on extremely long commands to hide payloads beyond the original display limit. While it does not eliminate the theoretical possibility of shorter malicious commands, it disrupts known attack chains used by major threat actors. ACROS Security argues that typical user-facing shortcuts created through the normal Windows interface do not exceed 260 characters and that legitimate programmatically created shortcuts with longer targets are generally not meant to be manually launched by end users.

The unofficial 0patch fix is available to PRO and Enterprise customers for a wide range of Microsoft operating systems. Supported platforms include Windows 7 through Windows 11 22H2 and Windows Server 2008 R2 through Windows Server 2022, including several server editions that did not receive Microsoft’s own behavioral change. These micropatches are applied in memory without requiring system reboots, offering organizations running end-of-support or unpatched systems a way to reduce exposure to active exploitation.