AI description
CVE-2025-9491 is a vulnerability affecting Microsoft Windows, specifically how it handles .LNK (shortcut) files. This flaw, classified as a User Interface Misrepresentation of Critical Information, allows crafted .LNK files to hide hazardous content from users inspecting the file through the Windows UI. An attacker can exploit this by making malicious elements invisible or misleading. To exploit this vulnerability, a remote attacker needs a user to either visit a malicious page or open a malicious file. Successful exploitation allows the attacker to execute arbitrary code within the context of the current user. This has been leveraged in attacks involving spear-phishing emails containing URLs that lead to malicious LNK files. These files can then execute PowerShell commands to deploy malware, such as the PlugX remote access trojan.
- Description
- Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of .LNK files. Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25373.
- Source
- zdi-disclosures@trendmicro.com
- NVD status
- Modified
- Products
- windows_11_23h2
CVSS 4.0
- Type
- Secondary
- Base score
- 4.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
CVSS 3.0
- Type
- Secondary
- Base score
- 7
- Impact score
- 5.9
- Exploitability score
- 1
- Vector string
- CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- zdi-disclosures@trendmicro.com
- CWE-451
- Hype score
- Not currently trending
Today's Cybersecurity Roundup: - Germany summons Russian ambassador over GRU-linked cyberattack on air traffic control & election meddling. Hybrid threats escalating! - CISA adds critical Windows privilege escalation vuln (CVE-2025-9491) to KEV catalog—patch now to block
@ImperialTechSvc
12 Dec 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-9491 which has been used in real world attacks has finally been patched by Microsoft in November 2025 updates. Hackers have exploited this vulnerability since 2017, allowing shortcuts to be padded in the Target field with whitespace, concealing PowerShell or batch
@Leila97726926
7 Dec 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft has issued a silent patch for a long-standing Windows shortcut (.LNK) file vulnerability, CVE-2025-9491, exploited in the wild since at least 2017.
@PinkPinklava
6 Dec 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft quietly patched CVE-2025-9491, a Windows LNK vulnerability exploited since 2017 by state-sponsored groups. The flaw allowed attackers to hide malicious commands in shortcut files, enabling RCE attacks. Severity rated 7.8/10. #Microsoft #vulnerability #PatchTuesday https
@ProgresiveRobot
5 Dec 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
برای فایل های LNK یا همان shortcut آسیب پذیری با کد شناسایی CVE-2025-9491 منتشر شده است که به هکرها اجازه می دهد کامند ها و دستورات مخرب خود را در این نوع فایل ها با اس
@EthicalSafe
4 Dec 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft quietly patched a Windows LNK file flaw (CVE-2025-9491) — exploited in the wild since 2017 to hide malicious commands in shortcuts and trigger remote code execution. Apply the Nov 2025 update! https://t.co/xWUJOhtU84 https://t.co/JbfIh3p62H
@sctocs25
4 Dec 2025
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ New Windows Zero-Day Alert A critical flaw, CVE-2025-9491, in how Windows handles .lnk shortcut files allows remote code execution the moment a malicious link is accessed. 👇 In my latest deep-dive, I cover: • How the exploit works technically • Which Windows builds
@ctrlaltnod
4 Dec 2025
89 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft corrige una falla de Windows LNK tras años de explotación activa. La vulnerabilidad en cuestión es CVE-2025-9491 (puntuación CVSS: 7.8/7.0) #ciberseguridad #cybersecurity https://t.co/tS46ZcQujA
@EHCGroup
4 Dec 2025
66 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
مایکروسافت سرانجام آسیبپذیری امنیتی CVE-2025-9491 را که از سال ۲۰۱۷ توسط گروههای تهدید مختلف مورد سوءاستفاده قرار گرفته بود را در بهروزرسانیهای نوامبر ۲
@Teeegra
4 Dec 2025
1097 Impressions
0 Retweets
8 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft、Windows LNK脆弱性CVE-2025-9491を静かに修正 https://t.co/hjEgIBf17g #Security #セキュリティー #ニュース
@SecureShield_
4 Dec 2025
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【Windowsゼロデイ脆弱性】2017年から国家支援ハッカー集団に悪用されてきたWindows LNKファイルの脆弱性(CVE-2025-9491)について、Microsoftが11月のアップデートで密かに緩和策を実施した。
@nakajimeeee
4 Dec 2025
3209 Impressions
6 Retweets
28 Likes
8 Bookmarks
0 Replies
0 Quotes
Microsoft corrige falha explorada desde 2017: A empresa lançou silenciosamente um patch para a vulnerabilidade CVE-2025-9491, que permitia execução remota de código via arquivos LNK disfarçados. A falha era usada por grupos patrocinados para espionagem e ataques financeiros.
@caveiratech
3 Dec 2025
34 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-9491? Actually whitespace padding in .lnk files isn't a vulnerability. It's a feature. For APT groups. 11 state-sponsored APT groups. North Korea. Iran. Russia. China. CWE-451: UI Misrepresentation of Critical Information. Also describes the severity rating. Security
@gothburz
3 Dec 2025
3243 Impressions
0 Retweets
6 Likes
6 Bookmarks
0 Replies
0 Quotes
Microsoft just quietly patched a critical Windows LNK vulnerability (CVE-2025-9491) that's been actively exploited since 2017. Finally! 🛡️ https://t.co/rkR2hkMizq #Microsoft #WindowsLNK #Cybersecurity #PatchTuesday
@0xT3chn0m4nc3r
3 Dec 2025
49 Impressions
3 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft ha mitigado la vulnerabilidad CVE-2025-9491, explotada como zero-day en todas las versiones de Windows. 📂 El fallo permite ocultar comandos maliciosos en archivos .lnk (Accesos directos), usados para desplegar malware como Ursnif, Gh0st RAT y Trickbot. #Windows htt
@SoyITPro
3 Dec 2025
2399 Impressions
12 Retweets
59 Likes
5 Bookmarks
2 Replies
0 Quotes
ئاگاهبەخش: CVE-2025-9491 (LNK) لە نوێمبەر ٢٠٢٥ چارەسەر کرا — وێندۆز ئێستا فیلدی "Target" هەموو دەستوری PowerShell/BAT نیشان دەدات (پێشتر ٢٦٠ پیت کرا)، 0Patch هەیە. تۆ چی وایە؟ #CVE
@CaveSiberKurdi
3 Dec 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft Silently Patched CVE-2025-9491 - We Think Our Patch Provides More Security https://t.co/tSUnBtEwrf https://t.co/2AfwjcdA3D
@0patch
2 Dec 2025
423 Impressions
2 Retweets
3 Likes
1 Bookmark
1 Reply
0 Quotes
#exploit 1⃣. CVE-2025-50165: Critical Flaw (RCE) in Windows Graphics Component - https://t.co/p3KATYNDYX // Windows 11 24H2 x64/ARM64, Windows Server 2025 2⃣. CVE-2025-9491: Windows UI misrepresentation vulnerability - https://t.co/9qKIOSQ7Fd // PoC tool for demonstrating t
@ksg93rd
26 Nov 2025
439 Impressions
2 Retweets
2 Likes
4 Bookmarks
0 Replies
0 Quotes
CVSSv3: 7.8 だけど攻撃が増えているので少し注意が必要かもです。。 > CVE-2025-9491 Microsoft Windows LNKファイルにおけるUIの偽装によるリモートコード実行の脆弱性
@skiritan
11 Nov 2025
316 Impressions
1 Retweet
4 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
10 Nov 2025
47 Impressions
0 Retweets
0 Likes
1 Bookmark
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
9 Nov 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
⚠️ China-linked hackers (UNC6384) exploit unpatched Windows flaw CVE-2025-9491 to spy on EU diplomats. Attacks use malicious LNK files to deploy PlugX RAT. Microsoft has declined to patch the vulnerability.
@haydar_beklemez
7 Nov 2025
52 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Falha no Windows por 8 anos: CVE-2025-9491 em LNK expôs diplomatas; especialistas dizem que a Microsoft ignorou alertas. Vale a pena discutir? Comente/compartilhe/acesse #Segurança #Windows https://t.co/EH5ftqGSrp
@renda_Geek
6 Nov 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
👾 CVE-2025-9491 - attackers can hide command-line args in a .LNK file’s Target field using whitespace characters to trigger RCE - used to deploy PlugX against diplomatic missions 🇭🇺🇧🇪. Microsoft refuses to fix. 🤷♂️⚠️ #PlugX #TrendMicro ➡️ https:
@leonov_av
6 Nov 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 UNC6384 Threat Intelligence Report [High] Nov 06, 2025 This report details the activities of the China-linked threat actor UNC6384, focusing on their exploitation of a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomatic entities. The report analyzes.
@transilienceai
6 Nov 2025
66 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ China-linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats https://t.co/LxusyFdZ61 The APT group UNC6384 is using a previously disclosed Windows shortcut vulnerability (CVE-2025-9491) in spear-phishing campaigns aimed at diplomatic organizations in
@Huntio
5 Nov 2025
1455 Impressions
5 Retweets
18 Likes
6 Bookmarks
0 Replies
1 Quote
A Chinese-affiliated threat actor called UNC6384 targeted European diplomats in Belgium, Hungary, and other European Member States in September and October 2025. They abused a zero-day vulnerability (CVE-2025-9491) to execute arbitrary code remotely on targeted Windows systems. h
@techazin
4 Nov 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ China-linked hackers (UNC6384) exploit unpatched Windows flaw CVE-2025-9491 to spy on EU diplomats. Attacks use malicious LNK files to deploy PlugX RAT. Microsoft has declined to patch the vulnerability. #CyberEspionage #ZeroDay #PlugX 🔗 https://t.co/Vjmudyp50H
@NetSecIO
4 Nov 2025
71 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I always thought this was a normal feature.😅 CVE-2025-9491 vulnerability exists in the way Windows handles .LNK (shortcut) files. Attackers can embed malicious command-line parameters in the "Target" field of the LNK file and pad them with spaces or other characters to hide
@blackorbird
4 Nov 2025
15169 Impressions
8 Retweets
53 Likes
18 Bookmarks
6 Replies
2 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
4 Nov 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
China-linked group Mustang Panda used a Windows .LNK zero-day (CVE-2025-9491) to spear-phish European diplomats and drop PlugX, researchers warn. Stay vigilant. TechRadar+1 #CyberSecurity #MustangPanda #ZeroDay #PlugX #DeepThreat #InfoSec #DigitalDiplomacy https://t.co/HrhOxhX0Y
@ProgresiveRobot
3 Nov 2025
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼️#Exploited #Microsoft: rilevato lo sfruttamento attivo della vulnerabilità 0-day CVE-2025-9491, di tipo #RCE Rischio: 🔴 Tipologia 🔸 Remote Code Execution 🔗 https://t.co/Fv7bkqz6Hi ⚠️ Mitigazioni disponibili https://t.co/sCTzlT2O5W
@Vulcanux_
3 Nov 2025
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#UNC6384 exploits LNK vulnerability CVE-2025-9491 to deliver CanonStager and PlugX to European diplomatic targets. Infection uses crafted LNKs that run PowerShell, DLL side loading of CanonStager, and encrypted PlugX payloads for RCE, data exfiltration and plugin based extension.
@MeridianEU
3 Nov 2025
84 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Cyber Alert‼️ Windows Zero-Day Exploit Actively Abused in Diplomatic Attacks. No Patch Available Yet Chinese group UNC6384 exploited an unpatched Windows zero-day (CVE-2025-9491) to target EU diplomats via spearphishing in September–October 2025. Victims downloaded
@H4ckmanac
3 Nov 2025
28857 Impressions
104 Retweets
279 Likes
82 Bookmarks
13 Replies
4 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
3 Nov 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Urgent Warning: Exploited CVE-2025-9491 Windows Flaw Leaves Millions at Risk—What You Need to Know #Azure #Cybersecurity #Enterprise #Microsoft #PatchTuesday #Security #Surface #Windows #Windows10 #Windows11 https://t.co/e7zkq5YVJ9 https://t.co/y6W1fxR8CM
@Dav3Shanahan
2 Nov 2025
70 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Unpatched Windows vulnerability continues to be exploited by APTs (CVE-2025-9491) - Help Net Security https://t.co/LjrFuoA5c0
@PVynckier
2 Nov 2025
96 Impressions
2 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
2 Nov 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Nation-state groups boost attacks: Sandworm uses LNK exploit & OpenSSH backdoor targeting Belarus military; China-linked UNC6384 exploits CVE-2025-9491; multiple zero-days and regulatory shifts also reported. #Belarus #Lanscope #WSUS https://t.co/bBKR6oh1r2
@TweetThreatNews
2 Nov 2025
224 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A Windows zero-day vulnerability CVE-2025-9491 is actively exploited by Mustang Panda to target European diplomats using spearphishing with PlugX, Ursnif, Gh0st RAT, and Trickbot malware. #CVE2025-9491 #MustangPanda #Europe https://t.co/dzmw2IFGQa
@TweetThreatNews
2 Nov 2025
147 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 China-Linked Cyber Attacks Target Europe A China-affiliated threat actor, UNC6384, is exploiting an unpatched Windows shortcut flaw (CVE-2025-9491) in a cyber espionage campaign against European diplomatic and government entities . https://t.co/8cWxGvDw36
@NetiNeti24
1 Nov 2025
59 Impressions
0 Retweets
0 Likes
1 Bookmark
1 Reply
0 Quotes
🔴 CVE-2025-9491: Windows LNK Flaw Exploited Since 2017—Microsoft Won't Patch CVE-2025-9491 (aka ZDI-CAN-25373) is a Windows LNK file vulnerability that state actors have quietly exploited since at least 2017. The technique is elegant: attackers embed command-line arguments
@the_c_protocol
1 Nov 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛑 Beware! The CVE-2025-9491 bug is like that sneaky roommate—exploiting Windows shortcuts and making itself at home! No patch in sight! 🕵️♂️ #WindowsForum #SecurityAlert #TechHumor https://t.co/Z46mtHcPjl
@windowsforum
1 Nov 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Kinijos remiama programišių grupė UNC6384 nuo rugsėjo vykdo kibernetinio šnipinėjimo kampaniją prieš Europos diplomatines institucijas Vengrijoje ir Belgijoje. Atakose naudojamas naujas „Windows“ pažeidžiamumas CVE-2025-9491 https://t.co/X3ZpqjBuKM
@grigaliunas
1 Nov 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️New day, old trick: LNKs carrying PlugX, now with CVE-2025-9491 (UI misrep) for stealth. Do this today: block external .lnk, enforce MOTW, enable ASR “Block Win32 API calls from Office macros,” and hunt for suspicious rundll32 / PowerShell spawned. #Windows #APT #Plug
@Wh1teCoon
1 Nov 2025
283 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
1 Nov 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
中国系ハッカー集団UNC6384が欧州の外交機関を標的に。ハンガリーとベルギーでの諜報活動にCVE-2025-9491脆弱性悪用と巧妙なフィッシングを組み合わせた攻撃が確認された。 Arctic
@yousukezan
31 Oct 2025
1191 Impressions
2 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
📰 This week’s cybersecurity recap covers the 183M “super breach” exposing massive email-password databases, the ongoing exploitation of CVE-2025-9491 via malicious Windows shortcuts and DLL side-loading, and a sharp uptick in automated PHP and IoT botnet activity. Stay a
@ThreatHunter_AI
31 Oct 2025
78 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Unpatched Windows vulnerability continues to be exploited by APTs (CVE-2025-9491) https://t.co/zlY3NOO7aW
@TheCyberSecHub
31 Oct 2025
668 Impressions
3 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
Grupo chinês explora zero-day Windows para atacar diplomatas europeus: Grupo ligado à China usa vulnerabilidade CVE-2025-9491 em arquivos LNK para disseminar trojan PlugX, visando entidades diplomáticas na Europa, ampliando ataques sem patch oficial disponível. https://t.co/U
@caveiratech
31 Oct 2025
10 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_11_23h2:10.0.22631.4169:*:*:*:*:*:x64:*",
"vulnerable": true,
"matchCriteriaId": "1B2FB7AE-6AE3-463A-BFBC-90A5D1B85869"
}
],
"operator": "OR"
}
]
}
]