Remote Code Execution Vulnerability in Microsoft Windows LNK File Handling
CVE-2025-9491

3.3LOW

Key Information:

Vendor

Microsoft
Status
Windows
Vendor
CVE Published:
26 August 2025

Badges

📈 Trended📈 Score: 3,790💰 Ransomware👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-9491?

CVE-2025-9491 is a critical remote code execution vulnerability found in the Microsoft Windows operating system, specifically related to the handling of LNK (link) files. This vulnerability poses a severe risk as it enables remote attackers to execute arbitrary code on affected systems. The exploitation of this vulnerability requires user interaction, meaning that the target must either visit a malicious webpage or open a compromised LNK file for the attack to be successful. The flaw lies within the Windows user interface's processing of .LNK files, where malicious content can be designed to be obscured from the user. Therefore, users may inadvertently execute harmful code, believing they are accessing benign files. This can lead to unauthorized control over the user's system, resulting in severe implications for organizational security.

Potential impact of CVE-2025-9491

  1. Unauthorized Code Execution: Attackers can leverage this vulnerability to execute arbitrary code with the same privileges as the current user. This exposure allows for significant manipulation of the system, such as installing malware or stealing sensitive information.

  2. Data Breaches: By exploiting this vulnerability, attackers may gain access to confidential data stored on the system. This can lead to data loss, theft, or unauthorized disclosure of information, potentially impacting customer trust and compliance with data protection regulations.

  3. Wider System Compromise: If exploited, this vulnerability could serve as an entry point for further attacks within an organization’s network. Once an attacker gains initial access, they may escalate their privileges or move laterally through the network, potentially affecting other connected systems and increasing the scope of the security incident.

Affected Version(s)

Windows 11 Enterprise 23H2 22631.4169 x64

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-9491_POC
Created by Amperclock

News Articles

favicon imagecsoonline.com

Chinese hackers target Western diplomats using hard-to-patch Windows shortcut flaw

Chinese UNC6384 campaign cleverly exploits Windows .LNK vulnerability, security company finds.

2 weeks ago

favicon imageRed Hot Cyber

Chinese hackers target European diplomatic agencies (including Italy)

Hackers from the China-linked UNC6384 group are conducting a cyberespionage campaign against European diplomatic and government agencies by exploiting a Windows vulnerability.

3 weeks ago

favicon imageSecurityWeek

Chinese APT Exploits Unpatched Windows Flaw in Recent Attacks

Chinese threat actor exploiting an unpatched Windows shortcut vulnerability in fresh attacks targeting the diplomatic community in Europe.

3 weeks ago

References

https://www.zerodayinitiative.com/advisories/ZDI-25-148/
x_research-advisory

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 📈

    Vulnerability started trending

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-9491 : Remote Code Execution Vulnerability in Microsoft Windows LNK File Handling