AI description
CVE-2025-9491 is a vulnerability affecting Microsoft Windows, specifically how it handles .LNK (shortcut) files. This flaw, classified as a User Interface Misrepresentation of Critical Information, allows crafted .LNK files to hide hazardous content from users inspecting the file through the Windows UI. An attacker can exploit this by making malicious elements invisible or misleading. To exploit this vulnerability, a remote attacker needs a user to either visit a malicious page or open a malicious file. Successful exploitation allows the attacker to execute arbitrary code within the context of the current user. This has been leveraged in attacks involving spear-phishing emails containing URLs that lead to malicious LNK files. These files can then execute PowerShell commands to deploy malware, such as the PlugX remote access trojan.
- Description
- Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of .LNK files. Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25373.
- Source
- zdi-disclosures@trendmicro.com
- NVD status
- Modified
- Products
- windows_11_23h2
CVSS 4.0
- Type
- Secondary
- Base score
- 4.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
CVSS 3.0
- Type
- Secondary
- Base score
- 7
- Impact score
- 5.9
- Exploitability score
- 1
- Vector string
- CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- zdi-disclosures@trendmicro.com
- CWE-451
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
4
🚨 UNC6384 Threat Intelligence Report [High] Nov 06, 2025 This report details the activities of the China-linked threat actor UNC6384, focusing on their exploitation of a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomatic entities. The report analyzes.
@transilienceai
6 Nov 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ China-linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats https://t.co/LxusyFdZ61 The APT group UNC6384 is using a previously disclosed Windows shortcut vulnerability (CVE-2025-9491) in spear-phishing campaigns aimed at diplomatic organizations in
@Huntio
5 Nov 2025
1103 Impressions
5 Retweets
15 Likes
6 Bookmarks
0 Replies
1 Quote
A Chinese-affiliated threat actor called UNC6384 targeted European diplomats in Belgium, Hungary, and other European Member States in September and October 2025. They abused a zero-day vulnerability (CVE-2025-9491) to execute arbitrary code remotely on targeted Windows systems. h
@techazin
4 Nov 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ China-linked hackers (UNC6384) exploit unpatched Windows flaw CVE-2025-9491 to spy on EU diplomats. Attacks use malicious LNK files to deploy PlugX RAT. Microsoft has declined to patch the vulnerability. #CyberEspionage #ZeroDay #PlugX 🔗 https://t.co/Vjmudyp50H
@NetSecIO
4 Nov 2025
71 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I always thought this was a normal feature.😅 CVE-2025-9491 vulnerability exists in the way Windows handles .LNK (shortcut) files. Attackers can embed malicious command-line parameters in the "Target" field of the LNK file and pad them with spaces or other characters to hide
@blackorbird
4 Nov 2025
15169 Impressions
8 Retweets
53 Likes
18 Bookmarks
6 Replies
2 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
4 Nov 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
China-linked group Mustang Panda used a Windows .LNK zero-day (CVE-2025-9491) to spear-phish European diplomats and drop PlugX, researchers warn. Stay vigilant. TechRadar+1 #CyberSecurity #MustangPanda #ZeroDay #PlugX #DeepThreat #InfoSec #DigitalDiplomacy https://t.co/HrhOxhX0Y
@ProgresiveRobot
3 Nov 2025
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼️#Exploited #Microsoft: rilevato lo sfruttamento attivo della vulnerabilità 0-day CVE-2025-9491, di tipo #RCE Rischio: 🔴 Tipologia 🔸 Remote Code Execution 🔗 https://t.co/Fv7bkqz6Hi ⚠️ Mitigazioni disponibili https://t.co/sCTzlT2O5W
@Vulcanux_
3 Nov 2025
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#UNC6384 exploits LNK vulnerability CVE-2025-9491 to deliver CanonStager and PlugX to European diplomatic targets. Infection uses crafted LNKs that run PowerShell, DLL side loading of CanonStager, and encrypted PlugX payloads for RCE, data exfiltration and plugin based extension.
@MeridianEU
3 Nov 2025
84 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Cyber Alert‼️ Windows Zero-Day Exploit Actively Abused in Diplomatic Attacks. No Patch Available Yet Chinese group UNC6384 exploited an unpatched Windows zero-day (CVE-2025-9491) to target EU diplomats via spearphishing in September–October 2025. Victims downloaded
@H4ckmanac
3 Nov 2025
28857 Impressions
104 Retweets
279 Likes
82 Bookmarks
13 Replies
4 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
3 Nov 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Urgent Warning: Exploited CVE-2025-9491 Windows Flaw Leaves Millions at Risk—What You Need to Know #Azure #Cybersecurity #Enterprise #Microsoft #PatchTuesday #Security #Surface #Windows #Windows10 #Windows11 https://t.co/e7zkq5YVJ9 https://t.co/y6W1fxR8CM
@Dav3Shanahan
2 Nov 2025
70 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Unpatched Windows vulnerability continues to be exploited by APTs (CVE-2025-9491) - Help Net Security https://t.co/LjrFuoA5c0
@PVynckier
2 Nov 2025
96 Impressions
2 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
2 Nov 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Nation-state groups boost attacks: Sandworm uses LNK exploit & OpenSSH backdoor targeting Belarus military; China-linked UNC6384 exploits CVE-2025-9491; multiple zero-days and regulatory shifts also reported. #Belarus #Lanscope #WSUS https://t.co/bBKR6oh1r2
@TweetThreatNews
2 Nov 2025
224 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A Windows zero-day vulnerability CVE-2025-9491 is actively exploited by Mustang Panda to target European diplomats using spearphishing with PlugX, Ursnif, Gh0st RAT, and Trickbot malware. #CVE2025-9491 #MustangPanda #Europe https://t.co/dzmw2IFGQa
@TweetThreatNews
2 Nov 2025
147 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 China-Linked Cyber Attacks Target Europe A China-affiliated threat actor, UNC6384, is exploiting an unpatched Windows shortcut flaw (CVE-2025-9491) in a cyber espionage campaign against European diplomatic and government entities . https://t.co/8cWxGvDw36
@NetiNeti24
1 Nov 2025
59 Impressions
0 Retweets
0 Likes
1 Bookmark
1 Reply
0 Quotes
🔴 CVE-2025-9491: Windows LNK Flaw Exploited Since 2017—Microsoft Won't Patch CVE-2025-9491 (aka ZDI-CAN-25373) is a Windows LNK file vulnerability that state actors have quietly exploited since at least 2017. The technique is elegant: attackers embed command-line arguments
@the_c_protocol
1 Nov 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛑 Beware! The CVE-2025-9491 bug is like that sneaky roommate—exploiting Windows shortcuts and making itself at home! No patch in sight! 🕵️♂️ #WindowsForum #SecurityAlert #TechHumor https://t.co/Z46mtHcPjl
@windowsforum
1 Nov 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Kinijos remiama programišių grupė UNC6384 nuo rugsėjo vykdo kibernetinio šnipinėjimo kampaniją prieš Europos diplomatines institucijas Vengrijoje ir Belgijoje. Atakose naudojamas naujas „Windows“ pažeidžiamumas CVE-2025-9491 https://t.co/X3ZpqjBuKM
@grigaliunas
1 Nov 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️New day, old trick: LNKs carrying PlugX, now with CVE-2025-9491 (UI misrep) for stealth. Do this today: block external .lnk, enforce MOTW, enable ASR “Block Win32 API calls from Office macros,” and hunt for suspicious rundll32 / PowerShell spawned. #Windows #APT #Plug
@Wh1teCoon
1 Nov 2025
283 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-9491
@transilienceai
1 Nov 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
中国系ハッカー集団UNC6384が欧州の外交機関を標的に。ハンガリーとベルギーでの諜報活動にCVE-2025-9491脆弱性悪用と巧妙なフィッシングを組み合わせた攻撃が確認された。 Arctic
@yousukezan
31 Oct 2025
1191 Impressions
2 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
📰 This week’s cybersecurity recap covers the 183M “super breach” exposing massive email-password databases, the ongoing exploitation of CVE-2025-9491 via malicious Windows shortcuts and DLL side-loading, and a sharp uptick in automated PHP and IoT botnet activity. Stay a
@ThreatHunter_AI
31 Oct 2025
78 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Unpatched Windows vulnerability continues to be exploited by APTs (CVE-2025-9491) https://t.co/zlY3NOO7aW
@TheCyberSecHub
31 Oct 2025
668 Impressions
3 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
Grupo chinês explora zero-day Windows para atacar diplomatas europeus: Grupo ligado à China usa vulnerabilidade CVE-2025-9491 em arquivos LNK para disseminar trojan PlugX, visando entidades diplomáticas na Europa, ampliando ataques sem patch oficial disponível. https://t.co/U
@caveiratech
31 Oct 2025
10 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 China-backed hackers exploited an unpatched Windows shortcut bug to breach European diplomats. UNC6384 used fake “EU Commission” and NATO meeting invites to plant PlugX malware (CVE-2025-9491) — still unpatched by Microsoft. Full story ↓ https://t.co/ywalIVK8qM
@TheHackersNews
31 Oct 2025
10076 Impressions
30 Retweets
71 Likes
16 Bookmarks
1 Reply
1 Quote
中国系ハッカー集団UNC6384(別名Mustang Panda)が、未修正のWindowsショートカット脆弱性「CVE-2025-9491」を悪用し、欧州外交筋を標的に攻撃を行っていることがArctic Wolfにより確認された。
@yousukezan
31 Oct 2025
1400 Impressions
3 Retweets
8 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2025-9491 Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability https://t.co/hRWBeSge9h
@VulmonFeeds
26 Aug 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-9491 Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected in… https://t.co/zQ32L2xrNe
@CVEnew
26 Aug 2025
297 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_11_23h2:10.0.22631.4169:*:*:*:*:*:x64:*",
"vulnerable": true,
"matchCriteriaId": "1B2FB7AE-6AE3-463A-BFBC-90A5D1B85869"
}
],
"operator": "OR"
}
]
}
]