Microsoft “Mitigates” Windows LNK Flaw

Microsoft “Mitigates” Windows LNK Flaw Exploited as Zero-Day www.bleepingcomputer.com/news/micr… Microsoft has quietly implemented a mitigation for a high-severity Windows LNK vulnerability exploited as a zero-day by multiple state-aligned and cybercriminal groups. Tracked as CVE-2025-9491, the flaw enables attackers to embed malicious commands inside Windows Shell Link (.lnk) files, allowing malware deployment and persistence. Successful attacks still require user interaction, typically by enticing victims to open weaponized LNK files delivered in ZIP or similar archives. The vulnerability arises from how Windows parses and displays LNK files. Threat actors abuse this behaviour by padding the Target field with whitespace to conceal malicious command-line arguments, enabling code execution while evading detection. ACROS Security CEO and 0patch co-founder Mitja Kolsek observed that Microsoft altered LNK file handling in November’s updates, allowing users to view all characters in the Target field rather than truncating at 260 characters. While this change increases visibility, it does not remove malicious arguments or provide warnings to users when opening LNK files with extended Target strings. As a result, the underlying risk remains only partially mitigated.