CVE-2025-9491 Overview
CVE-2025-9491 is a user interface misrepresentation vulnerability [CWE-451] in Microsoft Windows that allows attackers to execute arbitrary code through crafted .LNK shortcut files. The flaw originates in how Windows parses and renders .LNK file metadata in the shell user interface. Attackers can embed hazardous content that remains invisible when a user inspects the file through Windows Explorer or the file properties dialog. Successful exploitation runs code in the context of the current user. The issue was reported through the Zero Day Initiative as ZDI-CAN-25373 and tracked by Microsoft under advisory ADV25258226.
Critical Impact
Attackers can disguise malicious commands inside .LNK files so the Windows UI shows benign content while arbitrary code executes when the shortcut is opened.
Affected Products
- Microsoft Windows 11 23H2 (10.0.22631.4169, x64)
- Microsoft Windows shell .LNK file handler
- Systems where users can open shortcut files received via web, email, or removable media
Discovery Timeline
- 2025-08-26 - CVE-2025-9491 published to the National Vulnerability Database
- 2025-11-05 - Last updated in the NVD database
- Reported through the Zero Day Initiative as ZDI-CAN-25373 (advisory ZDI-25-148)
Technical Details for CVE-2025-9491
Vulnerability Analysis
The vulnerability is classified as User Interface Misrepresentation of Critical Information [CWE-451]. Windows parses .LNK shortcut files to display target paths, arguments, and icons in the shell. Crafted padding, whitespace, or control characters in the .LNK structure cause the rendering logic to truncate or hide the actual command line shown to the user. An analyst inspecting the shortcut through the standard Windows properties dialog sees only safe-looking content while the embedded command stays active on execution.
The attack is local in nature but commonly delivered remotely. Adversaries package .LNK files inside ZIP archives, ISO mounts, or phishing attachments. When the target double-clicks the shortcut, the hidden arguments invoke cmd.exe, powershell.exe, or other living-off-the-land binaries with attacker-supplied parameters.
Root Cause
The root cause is improper sanitization of display strings derived from the .LNK file structure. Windows trusts embedded length fields and string padding when rendering the command line, allowing crafted entries to push malicious arguments outside the visible area of the UI. The mismatch between what the parser displays and what the loader executes produces the misrepresentation.
Attack Vector
Exploitation requires user interaction. A target must open or execute a malicious .LNK file delivered through a webpage, email attachment, removable drive, or shared network location. No elevated privileges are needed because the payload runs with the current user's permissions. The vulnerability has been observed in real-world phishing tradecraft involving shortcut-based loaders.
No verified public proof-of-concept code is available. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-148 and the Microsoft Security Advisory ADV25258226.
Detection Methods for CVE-2025-9491
Indicators of Compromise
- .LNK files with unusually large COMMAND_LINE_ARGUMENTS fields padded with whitespace, null bytes, or non-printable characters
- Shortcut files invoking cmd.exe, powershell.exe, mshta.exe, rundll32.exe, or wscript.exe with arguments hidden from the Windows properties dialog
- Sample hash referenced by VirusTotal: a55789d49c395a9b16cb56b0544266d9ecee409fa3c5fead8082f28c2aff4e76
- Process trees showing explorer.exe spawning script interpreters shortly after archive extraction or removable media access
Detection Strategies
- Parse .LNK files from email gateways, web proxies, and endpoints to extract the raw COMMAND_LINE_ARGUMENTS and compare it to the value rendered by IShellLinkW
- Flag shortcuts whose argument length exceeds the visible character count in the Windows shell by a meaningful margin
- Hunt for explorer.exe parent processes launching interpreters with encoded or obfuscated parameters
Monitoring Recommendations
- Enable Sysmon Event ID 1 and Event ID 11 to capture process creation and .LNK file writes in user-writable paths such as %TEMP%, %APPDATA%, and Downloads
- Audit removable media insertion events and correlate with subsequent shortcut execution
- Monitor Microsoft Defender SmartScreen and Mark-of-the-Web (MOTW) bypass events on downloaded archives that contain .LNK files
How to Mitigate CVE-2025-9491
Immediate Actions Required
- Apply the guidance in Microsoft Security Advisory ADV25258226 and install updates as they are released for affected Windows builds
- Block inbound .LNK files at email gateways and web proxies, especially when delivered inside ZIP, RAR, ISO, IMG, or VHD containers
- Restrict execution of .LNK files from %TEMP%, Downloads, and removable drives using AppLocker or Windows Defender Application Control
Patch Information
Microsoft tracks remediation guidance under advisory ADV25258226. Refer to the Microsoft Security Response Center advisory for the current list of cumulative updates that address the misrepresentation in the .LNK parser. Confirm that affected hosts, including Windows 11 23H2 builds at or below 10.0.22631.4169, receive the relevant servicing stack and security updates.
Workarounds
- Enable "Show file extensions for known file types" and configure Group Policy to display the full command line of shortcut targets when previewing
- Use Attack Surface Reduction (ASR) rules to block Office and script engines from spawning child processes typically chained from malicious shortcuts
- Train users to inspect .LNK files only inside isolated sandboxes when received from untrusted sources
# Block .LNK files originating from the internet using PowerShell and Windows Defender ASR
Set-MpPreference -AttackSurfaceReductionRules_Ids `
d4f940ab-401b-4efc-aadc-ad5f3c50688a `
-AttackSurfaceReductionRules_Actions Enabled
# Remove the Mark-of-the-Web bypass by enforcing MOTW propagation for archive extraction
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' `
-Name 'SaveZoneInformation' -Value 1 -PropertyType DWord -Force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

