Microsoft quietly patches LNK vulnerability that's been weaponized for years

1. Pro
2. Security

Microsoft quietly patches LNK vulnerability that's been weaponized for years News By Sead Fadilpašić published 4 December 2025

The November Patch Tuesday fixed an age-old bug

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

• Microsoft’s November 2025 Patch Tuesday fixed 63 flaws, including CVE-2025-9491 in Windows LNK files
• The bug let attackers hide malicious commands in shortcut files, enabling RCE attacks
• Exploited since 2017 by state-sponsored groups from China, Iran, North Korea, and Russia; severity rated 7.8/10

The November 2025 Patch Tuesday cumulative update fixed a vulnerability that hackers have been exploiting for years.

On November 12, Microsoft released a patch that addressed 63 vulnerabilities. Among them was a “Microsoft Windows LNK file UI misrepresentation” vulnerability that enabled Remote Code Execution (RCE) attacks via weaponized shortcut (.LNK) files.

According to the National Vulnerability Database (NVD), “crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user.”

You may like

• CISA warns high-severity Windows SMB flaw now exploited in attacks, so update now
• Chinese hackers target European diplomats with Windows zero-day flaw
• Windows Server flaw targeted by hackers to spread malware - here's what we know

Catch the price drop- Get 30% OFF for Enterprise and Business plans

The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.

View Deal

Abused for years

In other words, the bug lets attackers hide what the shortcut really does. When a victim right-clicks the shortcut file to check its properties, Windows hides the file’s full path and commands it will run, making the file appear safe even when it isn’t.

The bug is now tracked as CVE-2025-9491 and has a severity score of 7.8/10 (high).

Cybercriminals turned to .LNK files years ago, when Microsoft first banned the use of macros in downloaded Office files. In more recent times, Trend Micro’s Zero Day Initiative (ZDI) reported that the bug was being weaponized by 11 state-sponsored groups from China, Iran, North Korea, and Russia, who were using it for cyber-espionage, data theft, and fraud, apparently since 2017.

At first, Microsoft did not want to fix it, telling The Hacker News it wasn’t that big of a deal. It also said that the .LNK format is blocked in Outlook, Word, Excel, PowerPoint, and OneNote and whoever tried running these files would get a warning not to open documents from unknown sources.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

However, since multiple cybersecurity companies warned about the abuse, and pointed out that state-sponsored attackers were using the bug too, Microsoft decided to fix it.

Via The Hacker News

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more CISA warns high-severity Windows SMB flaw now exploited in attacks, so update now    Chinese hackers target European diplomats with Windows zero-day flaw    Windows Server flaw targeted by hackers to spread malware - here's what we know    Microsoft issues emergency Windows server security patch - update now or risk attack    US Government orders patching of critical Windows Server security issue    Chinese state hackers may be using VMWare Tools flaw to hack US systems - so patch now, CISA warns    Latest in Security This DDoS group just smashed the previous record with a 29.7 Tbps attack    UK cybercrime agency blocks nearly 1 billion access attempts to malicious websites    North Korean 'fake worker' scheme caught live on camera    Iranian hacker group deploys malicious Snake game to target Egyptian and Israeli critical infrastructure    New data centers will need almost triple the current energy demand by 2035    Russian speaking hacking group now shifting focus to government targets    Latest in News Pokémon Legends: Z-A’s DLC is almost here, and the first ‘Z Mega Evolution’ has been confirmed    Your ChatGPT chats could be less private thanks to a new court ruling    These are the 10 best Chrome extensions of 2025, according to Google    Latest Windows 11 update fixes some nasty bugs – but don't grab it just yet    Sony reveals new steampunk fantasy RPG The God Slayer for PS5, Xbox, and PC as part of the company's China Hero Project    Prime Video releases first explosive posters for The Boys season 5 – and a release date and trailer are going to be next    LATEST ARTICLES

1. 1Proton launches new end-to-end encrypted spreadhseets for ultra secure data handling
2. 2Samsung's next-gen OLED TVs leak, including a mysterious new elite model
3. 3Start 2026 strong - you can save up to 50% on Wix’s top apps right now
4. 4This DDoS group just smashed the previous record with a 29.7 Tbps attack
5. 5How AI-powered background checks are becoming a business necessity