Skip to main content
CVE Vulnerability Database

CVE-2025-9491: Windows 11 23h2 LNK File RCE Vulnerability

CVE-2025-9491 is a remote code execution flaw in Microsoft Windows 11 23h2 involving malicious LNK files that hide hazardous content from users. This article covers the technical details, affected systems, and mitigation steps.

Updated:

CVE-2025-9491 Overview

CVE-2025-9491 is a user interface misrepresentation vulnerability [CWE-451] in Microsoft Windows that allows attackers to execute arbitrary code through crafted .LNK shortcut files. The flaw originates in how Windows parses and renders .LNK file metadata in the shell user interface. Attackers can embed hazardous content that remains invisible when a user inspects the file through Windows Explorer or the file properties dialog. Successful exploitation runs code in the context of the current user. The issue was reported through the Zero Day Initiative as ZDI-CAN-25373 and tracked by Microsoft under advisory ADV25258226.

Critical Impact

Attackers can disguise malicious commands inside .LNK files so the Windows UI shows benign content while arbitrary code executes when the shortcut is opened.

Affected Products

  • Microsoft Windows 11 23H2 (10.0.22631.4169, x64)
  • Microsoft Windows shell .LNK file handler
  • Systems where users can open shortcut files received via web, email, or removable media

Discovery Timeline

  • 2025-08-26 - CVE-2025-9491 published to the National Vulnerability Database
  • 2025-11-05 - Last updated in the NVD database
  • Reported through the Zero Day Initiative as ZDI-CAN-25373 (advisory ZDI-25-148)

Technical Details for CVE-2025-9491

Vulnerability Analysis

The vulnerability is classified as User Interface Misrepresentation of Critical Information [CWE-451]. Windows parses .LNK shortcut files to display target paths, arguments, and icons in the shell. Crafted padding, whitespace, or control characters in the .LNK structure cause the rendering logic to truncate or hide the actual command line shown to the user. An analyst inspecting the shortcut through the standard Windows properties dialog sees only safe-looking content while the embedded command stays active on execution.

The attack is local in nature but commonly delivered remotely. Adversaries package .LNK files inside ZIP archives, ISO mounts, or phishing attachments. When the target double-clicks the shortcut, the hidden arguments invoke cmd.exe, powershell.exe, or other living-off-the-land binaries with attacker-supplied parameters.

Root Cause

The root cause is improper sanitization of display strings derived from the .LNK file structure. Windows trusts embedded length fields and string padding when rendering the command line, allowing crafted entries to push malicious arguments outside the visible area of the UI. The mismatch between what the parser displays and what the loader executes produces the misrepresentation.

Attack Vector

Exploitation requires user interaction. A target must open or execute a malicious .LNK file delivered through a webpage, email attachment, removable drive, or shared network location. No elevated privileges are needed because the payload runs with the current user's permissions. The vulnerability has been observed in real-world phishing tradecraft involving shortcut-based loaders.

No verified public proof-of-concept code is available. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-148 and the Microsoft Security Advisory ADV25258226.

Detection Methods for CVE-2025-9491

Indicators of Compromise

  • .LNK files with unusually large COMMAND_LINE_ARGUMENTS fields padded with whitespace, null bytes, or non-printable characters
  • Shortcut files invoking cmd.exe, powershell.exe, mshta.exe, rundll32.exe, or wscript.exe with arguments hidden from the Windows properties dialog
  • Sample hash referenced by VirusTotal: a55789d49c395a9b16cb56b0544266d9ecee409fa3c5fead8082f28c2aff4e76
  • Process trees showing explorer.exe spawning script interpreters shortly after archive extraction or removable media access

Detection Strategies

  • Parse .LNK files from email gateways, web proxies, and endpoints to extract the raw COMMAND_LINE_ARGUMENTS and compare it to the value rendered by IShellLinkW
  • Flag shortcuts whose argument length exceeds the visible character count in the Windows shell by a meaningful margin
  • Hunt for explorer.exe parent processes launching interpreters with encoded or obfuscated parameters

Monitoring Recommendations

  • Enable Sysmon Event ID 1 and Event ID 11 to capture process creation and .LNK file writes in user-writable paths such as %TEMP%, %APPDATA%, and Downloads
  • Audit removable media insertion events and correlate with subsequent shortcut execution
  • Monitor Microsoft Defender SmartScreen and Mark-of-the-Web (MOTW) bypass events on downloaded archives that contain .LNK files

How to Mitigate CVE-2025-9491

Immediate Actions Required

  • Apply the guidance in Microsoft Security Advisory ADV25258226 and install updates as they are released for affected Windows builds
  • Block inbound .LNK files at email gateways and web proxies, especially when delivered inside ZIP, RAR, ISO, IMG, or VHD containers
  • Restrict execution of .LNK files from %TEMP%, Downloads, and removable drives using AppLocker or Windows Defender Application Control

Patch Information

Microsoft tracks remediation guidance under advisory ADV25258226. Refer to the Microsoft Security Response Center advisory for the current list of cumulative updates that address the misrepresentation in the .LNK parser. Confirm that affected hosts, including Windows 11 23H2 builds at or below 10.0.22631.4169, receive the relevant servicing stack and security updates.

Workarounds

  • Enable "Show file extensions for known file types" and configure Group Policy to display the full command line of shortcut targets when previewing
  • Use Attack Surface Reduction (ASR) rules to block Office and script engines from spawning child processes typically chained from malicious shortcuts
  • Train users to inspect .LNK files only inside isolated sandboxes when received from untrusted sources
bash
# Block .LNK files originating from the internet using PowerShell and Windows Defender ASR
Set-MpPreference -AttackSurfaceReductionRules_Ids `
    d4f940ab-401b-4efc-aadc-ad5f3c50688a `
    -AttackSurfaceReductionRules_Actions Enabled

# Remove the Mark-of-the-Web bypass by enforcing MOTW propagation for archive extraction
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' `
    -Name 'SaveZoneInformation' -Value 1 -PropertyType DWord -Force

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.