Remote Code Execution Vulnerability in Microsoft Windows LNK File Handling
CVE-2025-9491

3.3LOW

Key Information:

Vendor

Microsoft
Status
Windows
Vendor
CVE Published:
26 August 2025

Badges

๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 3,790๐Ÿ’ฐ Ransomware๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐Ÿ“ฐ News Worthy

What is CVE-2025-9491?

CVE-2025-9491 is a critical remote code execution vulnerability found in the Microsoft Windows operating system, specifically related to the handling of LNK (link) files. This vulnerability poses a severe risk as it enables remote attackers to execute arbitrary code on affected systems. The exploitation of this vulnerability requires user interaction, meaning that the target must either visit a malicious webpage or open a compromised LNK file for the attack to be successful. The flaw lies within the Windows user interface's processing of .LNK files, where malicious content can be designed to be obscured from the user. Therefore, users may inadvertently execute harmful code, believing they are accessing benign files. This can lead to unauthorized control over the user's system, resulting in severe implications for organizational security.

Potential impact of CVE-2025-9491

  1. Unauthorized Code Execution: Attackers can leverage this vulnerability to execute arbitrary code with the same privileges as the current user. This exposure allows for significant manipulation of the system, such as installing malware or stealing sensitive information.

  2. Data Breaches: By exploiting this vulnerability, attackers may gain access to confidential data stored on the system. This can lead to data loss, theft, or unauthorized disclosure of information, potentially impacting customer trust and compliance with data protection regulations.

  3. Wider System Compromise: If exploited, this vulnerability could serve as an entry point for further attacks within an organizationโ€™s network. Once an attacker gains initial access, they may escalate their privileges or move laterally through the network, potentially affecting other connected systems and increasing the scope of the security incident.

Affected Version(s)

Windows 11 Enterprise 23H2 22631.4169 x64

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-9491_POC
Created by Amperclock

News Articles

Microsoft fixes Windows shortcut flaw exploited for years

Microsoft has quietly closed off a critical Windows shortcut file bug long abused by espionage and cybercrime networks. The flaw, tracked as CVE-2025-9491, allows malicious .lnk shortcut files to hide harmful...

1 week ago

favicon imageThe Hacker News

Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

Microsoft fixes the Windows LNK flaw CVE-2025-9491, a bug exploited by multiple state groups since 2017.

1 week ago

References

https://www.zerodayinitiative.com/advisories/ZDI-25-148/
x_research-advisory

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • ๐Ÿ’ฐ

    Used in Ransomware

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-9491 : Remote Code Execution Vulnerability in Microsoft Windows LNK File Handling