Microsoft quietly patched a critical Windows vulnerability that hackers have been exploiting for nearly eight years.
The flaw, tracked as CVE-2025-9491, allowed cybercriminals to hide malicious commands from users inspecting files through Windows’ standard interface—but the tech giant never officially announced the fix.
For eight years, Windows users unknowingly lived with a security hole that nation-states exploited daily. State-sponsored hacking groups from China, Iran, North Korea, and Russia weaponized this Windows shortcut vulnerability since 2017. Trend Micro’s Zero Day Initiative discovered that 11 different government-backed teams actively exploited the security hole, turning what should have been harmless shortcut files into dangerous attack vectors.
The vulnerability affected how Windows displays .LNK (shortcut) files, enabling attackers to craft malicious shortcuts that appeared completely safe when users checked their properties. Security researchers identified nearly 1,000 malicious shortcut files exploiting this flaw across offensive campaigns dating back eight years.
Microsoft’s dismissal of active threats
Microsoft’s response to this vulnerability reveals a concerning pattern in how the company handles security priorities. When researchers first reported the flaw, Microsoft initially claimed it “does not meet the bar for immediate servicing” and planned to address it in a future release rather than through emergency updates.
The flaw was deceptively simple: Windows only showed users the first part of malicious commands, hiding the dangerous parts that came after. Security firm 0patch explained that while .LNK files can contain extremely long Target arguments, the Properties dialog only shows the first 260 characters, silently hiding everything else from users. Attackers could stuff malicious PowerShell commands beyond that character limit, making their shortcuts appear legitimate during inspection.
Mounting evidence of widespread exploitation finally forced Microsoft’s hand. The XDSpy cyber espionage group leveraged the flaw to distribute malware targeting Eastern European government entities, while Chinese-affiliated threat actors weaponized it just last month to attack European diplomatic offices with PlugX malware.
Diplomatic secrets stolen
Just a month ago, attacks demonstrated this vulnerability’s devastating potential for espionage operations. Chinese threat group UNC6384 orchestrated a sophisticated campaign against European diplomatic entities throughout September and October, exploiting CVE-2025-9491 to deliver the notorious PlugX remote access trojan.
Diplomats thought they were opening meeting agendas—instead, they were handing over state secrets. Spearphishing emails themed around legitimate diplomatic events like European Commission meetings or NATO summits contained malicious .LNK files that appeared completely benign when victims inspected them through Windows’ interface. Behind the scenes, obfuscated PowerShell commands executed automatically, extracting three key components: a legitimate Canon printer utility, a malicious DLL, and an encrypted PlugX payload.
Arctic Wolf documented these precise attacks against European diplomats during September and October. The campaign ultimately distributed PlugX through DLL side-loading techniques, with the malware establishing persistent access through registry modifications and communicating with command-and-control servers over HTTPS, enabling ongoing intelligence collection from high-value diplomatic networks across Hungary, Belgium, Serbia, Italy, and the Netherlands.
Silent service
Microsoft’s November 2025 Patch Tuesday updates quietly included the fix, though the vulnerability wasn’t listed among the 63 officially patched vulnerabilities. The company’s solution now displays the entire Target command with arguments in the Properties dialog, regardless of length—a straightforward fix that took eight years to implement.
Check Windows Update now—this fix was buried in November’s routine updates without fanfare. The implications extend far beyond this single vulnerability. Trend Micro’s research in March revealed that nearly 70% of campaigns exploiting this flaw focused on espionage and information theft across government, financial, telecommunications, and energy sectors.
Organizations must implement defensive measures immediately while ensuring systems receive the latest updates. Security experts recommend blocking known command-and-control domains, conducting threat hunting for Canon printer binaries in unusual locations, and disabling automatic resolution of .LNK files for users accessing sensitive data.
The FBI warns holiday scammers are hitting email, social media, fake sites, delivery alerts, and calls, with new data showing losses and complaints rising.
