Microsoft quietly issued a fix for a long-exploited Windows zero-day vulnerability in its November security updates, closing a loophole that experts say enabled state-sponsored hacking groups from China, Iran, North Korea and Russia to conduct espionage and financial attacks for years. The flaw, CVE-2025-9491, affected the Windows LNK shortcut format, allowing attackers to embed hidden commands inside seemingly harmless files. As organisations search for information on the "Windows LNK vulnerability patch" and "Microsoft zero-day fix," security teams are racing to implement safeguards before additional attacks surface.
Trend Micro's Zero Day Initiative first detailed the threat publicly on 18 March 2025 after identifying nearly 1,000 malicious shortcut files used across 60 countries. The vulnerability stemmed from a UI handling issue that allowed attackers to hide PowerShell or batch commands beyond the first 260 characters of the LNK Target field. Because Windows displayed only the beginning of the field, malicious commands remained invisible even to trained users. Many shortcuts were disguised as documents inside ZIP files, allowing phishing campaigns to bypass email filters.
The vulnerability carried a CVSS score of 7.8, and no supported Windows version was exempt. Threat actors used the exploit to gain initial access, deploy remote-access malware and exfiltrate data. Security analysts noted that financial institutions and government agencies were hit hardest, as disguised LNK files blended seamlessly into environments already saturated with phishing threats.
State-aligned groups moved quickly to weaponise the flaw. Trend Micro's research linked 11 state-sponsored entities to active exploitation. Chinese APT Mustang Panda targeted diplomats in Belgium and Hungary during September and October 2025 through spearphishing campaigns that delivered PlugX via Canon DLL side-loading. North Korea's Lazarus Group and Russia's APT29 incorporated LNK payloads into supply-chain compromises, while cybercrime groups such as Evil Corp and Bitter APT used the technique to deploy Trickbot ransomware across banking networks.
Arctic Wolf publicly detailed several diplomatic intrusions on 31 October 2025 and urged organisations to adopt mitigations immediately. The visibility of the threat grew after a cybersecurity analyst posting under the handle @H4ckmanac wrote on X: "Windows Zero-Day Exploit Actively Abused in Diplomatic Attacks. No Patch Available Yet."
Microsoft initially maintained that CVE-2025-9491 did not constitute a vulnerability requiring a fix, emphasising in November guidance that "Windows identifies shortcut files (.lnk) as a potentially dangerous file type... we strongly recommend heeding this warning." But as exploitation continued and pressure mounted, the company incorporated a correction into its 12 November Patch Tuesday update, which addressed 63 flaws overall. The patch forces Windows to display the full Target field, eliminating the whitespace-based deception technique.
Mitja Kolsek of ACROS Security confirmed the behavioural change on 3 December 2025, noting that Microsoft had been rolling out components of the fix to select users since June. ACROS also released a 0patch update for legacy systems that will not receive official support. Tech outlet @PetriFeed posted its own confirmation shortly after, writing: "Microsoft Patches Widely Exploited Windows LNK Zero-Day Vulnerability."
