Microsoft Silently Patches Critical Windows LNK Vulnerability Exploited Since 2017

Microsoft has silently addressed a critical vulnerability, tracked as CVE-2025-9491, in its November 2025 Patch Tuesday update. This vulnerability, with a CVSS score of 7.8 (or 7.0 according to some sources), is related to a UI misinterpretation flaw in Windows Shortcut (LNK) files. The vulnerability has been actively exploited by multiple threat actors since 2017, allowing for remote code execution on affected systems. Notably, the patch for this vulnerability was developed by ACROS Security through its 0patch solution. The lack of public disclosure prior to the patch release suggests a coordinated effort to mitigate the risk of widespread exploitation. This vulnerability underscores the ongoing challenge of managing and patching long-standing flaws in widely used software. The exploitation of LNK files, which are commonly used for creating shortcuts, highlights the need for vigilance in handling seemingly benign file types. Cybersecurity professionals are advised to ensure that their systems are updated with the latest patches from Microsoft and to implement additional protections against the execution of untrusted LNK files. From a technical standpoint, the vulnerability likely involves a flaw in how Windows processes the metadata or references within LNK files. When a user opens a malicious LNK file, the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user. This could lead to system compromise, data theft, or further malware deployment. The decision to patch this vulnerability silently, without prior public disclosure, is a common practice to prevent attackers from developing exploits before a patch is available. However, it also means that organizations may not be aware of the risk until after the patch is released. For cybersecurity professionals, this incident serves as a reminder of the importance of keeping systems up-to-date and monitoring for unusual activity involving common file types like LNK files. Additionally, implementing least-privilege principles and restricting the execution of files from untrusted sources can help mitigate the risk of similar vulnerabilities. In conclusion, the patching of CVE-2025-9491 is a significant development in the ongoing battle against cyber threats. It highlights the need for constant vigilance and proactive measures to protect against both known and unknown vulnerabilities.