Remote Code Execution Vulnerability in Microsoft Windows LNK File Handling
CVE-2025-9491

7HIGH

Key Information:

Vendor

Microsoft
Status
Windows
Vendor
CVE Published:
26 August 2025

Badges

💰 Ransomware👾 Exploit Exists📰 News Worthy

What is CVE-2025-9491?

CVE-2025-9491 is a critical remote code execution vulnerability found in the Microsoft Windows operating system, specifically related to the handling of LNK (link) files. This vulnerability poses a severe risk as it enables remote attackers to execute arbitrary code on affected systems. The exploitation of this vulnerability requires user interaction, meaning that the target must either visit a malicious webpage or open a compromised LNK file for the attack to be successful. The flaw lies within the Windows user interface's processing of .LNK files, where malicious content can be designed to be obscured from the user. Therefore, users may inadvertently execute harmful code, believing they are accessing benign files. This can lead to unauthorized control over the user's system, resulting in severe implications for organizational security.

Potential impact of CVE-2025-9491

  1. Unauthorized Code Execution: Attackers can leverage this vulnerability to execute arbitrary code with the same privileges as the current user. This exposure allows for significant manipulation of the system, such as installing malware or stealing sensitive information.

  2. Data Breaches: By exploiting this vulnerability, attackers may gain access to confidential data stored on the system. This can lead to data loss, theft, or unauthorized disclosure of information, potentially impacting customer trust and compliance with data protection regulations.

  3. Wider System Compromise: If exploited, this vulnerability could serve as an entry point for further attacks within an organization’s network. Once an attacker gains initial access, they may escalate their privileges or move laterally through the network, potentially affecting other connected systems and increasing the scope of the security incident.

Affected Version(s)

Windows 11 Enterprise 23H2 22631.4169 x64

News Articles

favicon imageForbes

New Warning As Microsoft Windows Attacks Confirmed — No Fix Available

Microsoft has no fix available, and the attacks are already underway. What Windows users need to know about CVE-2025-9491.

13 hours ago

favicon imageHelp Net Security

Unpatched Windows vulnerability continues to be exploited by APTs (CVE-2025-9491) - Help Net Security

A Windows vulnerability (CVE-2025-9491, aka ZDI-CAN-25373) that threat actors have been leveraging since 2017 continues to be exploited.

1 day ago

favicon imageBleepingComputer

Windows zero-day actively exploited to spy on European diplomats

A China-linked hacking group is exploiting a Windows zero-day in attacks targeting European diplomats in Hungary, Belgium, and other European nations.

2 days ago

References

https://www.zerodayinitiative.com/advisories/ZDI-25-148/
x_research-advisory

CVSS V3.0

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-9491 : Remote Code Execution Vulnerability in Microsoft Windows LNK File Handling