At the moment, at Wild West Hackin’ Fest, safety researcher Wietze Beukema disclosed a number of vulnerabilities in Home windows LK shortcut recordsdata that permit attackers to deploy malicious payloads.
Beukema documented 4 beforehand unknown methods for manipulating Home windows LNK shortcut recordsdata to cover malicious targets from customers inspecting file properties.
LNK shortcuts had been launched with Home windows 95 and use a fancy binary format that permits attackers to create misleading recordsdata that seem reputable in Home windows Explorer’s properties dialog however execute completely totally different applications when opened.
The found points exploit inconsistencies in how Home windows Explorer prioritizes conflicting goal paths specified throughout a number of optionally available information constructions inside shortcut recordsdata.
The best variants use forbidden Home windows path characters, akin to double quotes, to create seemingly legitimate however technically invalid paths, inflicting Explorer to show one goal whereas executing one other, whereas one other makes use of non-conforming LinkTargetIDList values to execute a path aside from the one displayed within the LinkInfo area.
“This results in the strange situation where the user sees one path in the Target field, but upon execution, a completely other path is executed. Due to the field being disabled, it is also possible to “disguise” any command- line arguments that are provided,” Beukema stated.
Essentially the most highly effective approach recognized entails manipulating the EnvironmentVariableDataBlock construction inside LNK recordsdata. By setting solely the ANSI goal area and leaving the Unicode area empty, attackers can show a pretend goal akin to “invoice.pdf” within the properties window whereas really executing PowerShell or different malicious instructions.
“Opening the LNK executes the “precise” target immediately, not having to open it twice. Additionally, because in this case the spoofed target is in TargetIdList and the actual target in EnvironmentVariableDataBlock, the actual target may utilise environment variables,” Beukema defined.
“The target program/file/directory is completely spoofed,” and “any command-line arguments are hidden,” the researcher additionally famous, which makes detection extraordinarily tough for customers.
That is potential as a result of, as Beukema stated, Home windows Explorer will deal with all these malformed LNK shortcuts forgivingly, displaying spoofed data relatively than rejecting invalid recordsdata.
The researcher has additionally launched “lnk-it-up,” an open-source instrument suite that generates Home windows LNK shortcuts utilizing these methods for testing and may determine probably malicious LNK recordsdata by predicting what Explorer shows versus what really executes.
MSRC: Not a vulnerability
When Beukema submitted the EnvironmentVariableDataBlock difficulty to the Microsoft Safety Response Middle in September (VULN-162145), Microsoft declined to categorise it as a safety vulnerability, arguing that exploitation requires consumer interplay and doesn’t breach safety boundaries.
“These techniques do not meet the bar for immediate servicing under our severity classification guidelines as they require an attacker to trick a user into running a malicious file,” a Microsoft spokesperson instructed BleepingComputer when requested whether or not the corporate plans to handle any of the failings.
“Microsoft Defender has detections in place to identify and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the Internet. As a security best practice, we strongly encourage customers to heed security warnings and avoid opening files from unknown sources.”
Microsoft additionally famous that Home windows identifies shortcut recordsdata (.lnk) as probably harmful and, when trying to open a .lnk file downloaded from the Web, mechanically triggers a safety warning advising customers to not open recordsdata from unknown sources. Microsoft strongly recommends heeding this warning.
Nevertheless, Beukema added that “there is a reason attackers still like LNK files – users quickly click through these sorts of warnings. Otherwise, CVE-2025-9491 wouldn’t have been as ‘successful’ as it was either.”
CVE-2025-9491, the safety vulnerability talked about by the safety researchers, is just like the problems Beukema found and will be exploited to cover command-line arguments through the use of extreme whitespace padding. Cybercrime teams and state-backed hacking teams from North Korea, Iran, Russia, and China have been abusing this safety flaw for years in zero-day assaults.
Whereas initially Microsoft stated that CVE-2025-9491 would not break safety boundaries and refused to repair the difficulty, it silently modified LNK recordsdata in June 2025 in an obvious effort to mitigate this actively exploited vulnerability.
As Development Micro menace analysts revealed in March 2025, CVE-2025-9491 was already being broadly exploited by at the least 11 state-sponsored teams and cybercrime gangs, together with Evil Corp, Bitter, APT37, APT43 (also referred to as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others.
Cybersecurity agency Arctic Wolf additionally reported in October that the Mustang Panda Chinese language state-backed hacking group was exploiting this Home windows vulnerability in zero-day assaults concentrating on European diplomats in Hungary, Belgium, and different European nations to deploy the PlugX distant entry trojan (RAT) malware.
Trendy IT infrastructure strikes quicker than guide workflows can deal with.
On this new Tines information, learn the way your staff can scale back hidden guide delays, enhance reliability by means of automated response, and construct and scale clever workflows on prime of instruments you already use.
