Microsoft secretly issued a patch plugging the LNK file vulnerability.

Microsoft secretly issued a patch plugging the LNK file vulnerability that hackers have long used to send malware.

A type of file that is often used to send malware into the machine will not escape .LNK or Internet Shortcut files, all of which come from the vulnerability of Windows itself. After the vulnerability has been released for a long time, it is now fixed.

According to a report by The Hacker News website, Microsoft released an update during November to plug a CVE-2025-9491 code vulnerability with a serious score or CVSS Score of up to 7.8. The vulnerability is a User Interface (UI) translation vulnerability of a faulty LNK file (UI Misinterpretation). This results in hackers being able to exploit the file to fire RCE or Remote Code Execution, which will lead to taking control of the system or embedding malware. With the vulnerability, hackers can deceive victims by phishing methods. Tricked into opening such a file, which hackers can secretly hide code in "white spaces" that the victim cannot see, but runs when it opens.

The vulnerability was first detected in March by a research team from Trend Micro, a cybersecurity developer under the Zero Day Program called the Zero Day Initiative (ZDI), which, in its detection, found that the vulnerability was used by up to 11 state-sponsored hackers from Russia, China, North Korea and Iran, using it for data theft, spying and looting, which has been in use since January. By 2017 (2017), such detections have been recorded under the ZDI-CAN-25373 code.

After Microsoft received the data from the project, it responded strangely that the vulnerability did not meet the minimum standards for urgent access. It also said that LNK files had been blocked from company software like Outlook, Word, Excel, PowerPoint and OneNote. It was also notified every time such file type was opened.

But then came back reports from many sources of hackers exploiting the vulnerability, whether it was used by hackers like XDSpy to release malware built on the Go language like XDigo to attack victims in Eastern Europe, and most recently in October, hackers from China used the vulnerability to release PlugX malware to attack European state organizations.

But Microsoft also confirmed that the vulnerability does not count as a vulnerability. It all depends on the user's decision. Because every software that can open the file has already notified the user that the file is from an unreliable source, so Microsoft did not release a patch. In November, Microsoft quietly issued a patch to plug the vulnerability. There was no prior notification. Even the source contacted to confirm whether Microsoft had actually updated the vulnerability. Microsoft did not confirm the patch.

# Recap 2025 # Take care of yourself # Open budget # Includes IT matters # Trending