MediumPublic exploit

Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability

IdentifiersCVE-2025-9491CWE-451· User Interface (UI)…Also known aszdi_25_148zdi_can_25373

CVE-2025-9491 is a Microsoft Windows vulnerability in the handling of .LNK shortcut files. The flaw is a UI misrepresentation issue in which crafted shortcut data can cause hazardous content—specifically malicious command-line arguments or other execution-relevant target information—to be hidden or not fully shown in the Windows-provided user interface when a user inspects the shortcut. Multiple supporting sources describe the core issue as Windows Explorer historically displaying only the first 260 characters of a shortcut Target field, allowing attackers to pad the command line with whitespace so the malicious portion remains invisible in Properties while the full command is still executed. Successful exploitation can therefore trick a user into opening what appears to be a benign shortcut, resulting in arbitrary code execution in the context of the current user. ZDI tracked the issue as ZDI-25-148 / ZDI-CAN-25373.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An attacker can achieve arbitrary code execution as the current user by convincing the victim to open a crafted .LNK file or otherwise interact with attacker-controlled content that triggers the shortcut. In observed campaigns, the flaw was used as a social-engineering and defense-evasion mechanism to conceal malicious execution chains, including PowerShell-based downloaders, DLL side-loading, and deployment of malware such as PlugX, Ursnif, Gh0st RAT, and Trickbot. The practical impact includes initial access, malware execution, persistence, espionage-oriented collection, and follow-on compromise of the victim environment, limited by the privileges of the user who launches the shortcut.

Mitigation

If you can’t patch tonight, do this now.

Until all systems are remediated, restrict or block .LNK files from untrusted sources, especially via email, archives, web downloads, and user-writable locations. Enforce Mark-of-the-Web-aware controls, Smart App Control, and Microsoft Defender protections where available. Consider email gateway blocking or sandboxing of .LNK attachments, application allow-listing, and monitoring for suspicious shortcut execution chains such as explorer.exe launching PowerShell, rundll32, mshta, or signed binaries that side-load same-directory DLLs. Hunt for unusually long LNK Target strings, excessive whitespace padding, hidden command-line arguments, and suspicious DLL loads from nonstandard directories. User awareness remains relevant because exploitation requires the victim to open or otherwise interact with the malicious shortcut.

Remediation

Patch, then assume compromise.

Apply Microsoft's fix for CVE-2025-9491 in supported Windows versions. Supporting content indicates Microsoft modified Windows shortcut behavior so the full Target command and arguments are displayed in the Properties dialog rather than truncating at 260 characters. Organizations should ensure affected Windows endpoints are updated to the vendor-corrected builds and verify that the relevant Windows updates addressing Advisory 25258226 / CVE-2025-9491 have been deployed. If vendor patching is not available for a given platform, use compensating controls such as third-party micropatching where appropriate.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2025-9491_POCMaturityPoCVerified exploit

This repository is a proof-of-concept (PoC) tool for CVE-2025-9491, a Windows UI misrepresentation vulnerability affecting .lnk (shortcut) files. The repository contains three files: a detailed README.md, the main exploit script (main.py), and a requirements.txt specifying the pylnk3 library. The main.py script is a Python tool that allows users to create new .lnk files with obfuscated (whitespace-padded) arguments, obfuscate existing .lnk files, or parse and display the contents of .lnk files. The exploit leverages the fixed-size 'Target' field in Windows shortcut properties, using whitespace padding to hide malicious command-line arguments from users inspecting the shortcut. The tool supports various padding patterns and custom character sets for obfuscation. The primary attack vector is local: the attacker must convince a user to open or inspect a malicious .lnk file, which can then execute hidden commands. The tool does not provide a remote shell or network-based payload, but enables stealthy local execution of arbitrary commands via shortcut files. The repository is well-documented and structured, with the main exploit logic contained in main.py.

AmperclockDisclosed Nov 7, 2025pythonlocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows 11 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

85 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

85 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Windows Shortcut (LNK) UI misinterpretation vulnerability leading to remote code execution; exploited by multiple threat actors since 2017; patched in Nov 2025 updates.

bleeping computerNews

Feb 12, 2026

Microsoft: New Windows LNK spoofing issues aren't vulnerabilities

A Windows LNK (shortcut) file spoofing/obfuscation vulnerability that can be exploited to hide command-line arguments (via excessive whitespace padding), enabling deceptive shortcuts that appear benign while executing malicious commands.

wietzebeukema nlNews

Feb 12, 2026

Trust Me, I’m a Shortcut

A Windows Explorer LNK UI deception issue where long command-line arguments in shortcut files are truncated in the Target field, enabling attackers to hide malicious arguments from users inspecting shortcut properties.

help net securityNews

Dec 8, 2025

December 2025 Patch Tuesday forecast: And it’s a wrap

A vulnerability in the handling of .LNK files in Windows, potentially allowing attackers to exploit shortcut files for malicious purposes.

+15 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence248

Every observed campaign linking this CVE to a named adversary.

Associated malware15

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity65

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-9491

NVD

nvd.nist.gov/vuln/detail/CVE-2025-9491

MITRE CWE · CWE-451

User Interface (UI) Misrepresentation of…

Third Party Advisory

zerodayinitiative.com/advisories/ZDI-25-148

msrc.microsoft.com

msrc.microsoft.com/update-guide/advisory/ADV25258226

virustotal.com

virustotal.com/gui/file/a55789d49c395a9b16cb56b0544266d9ecee409fa3c5fead8082f28c2aff4e76