Microsoft Silently Patches Critical Windows LNK Vulnerability (CVE-2025-9491) after Initial Dismissal
December 6, 2025 – Microsoft has quietly released a patch for a critical remote code execution vulnerability in Windows (CVE-2025-9491) affecting LNK (shortcut) files, reversing an earlier decision not to address the issue.The vulnerability, first publicly disclosed in late August 2025, allows attackers to hide malicious commands within.LNK files, possibly executing code with the privileges of the current user if a victim opens the crafted shortcut.
The vulnerability came to light through research by Trend Micro and the Zero Day Initiative (ZDI-25-148), who assigned it a CVSS score of 7.0 or below. The issue centers on the way Windows processes .LNK files, enabling attackers to conceal dangerous content from users reviewing the file through the operating system’s interface. User interaction – opening a malicious file or visiting a compromised webpage – is required for exploitation.
Initially, Microsoft downplayed the vulnerability, stating in a November 1, 2025 advisory (ADV25258226) that it was aware of the reports but determined the issue did not meet its criteria for classification as a security vulnerability. The company cited existing protections within Microsoft Defender and Smart App control,and recommended users exercise caution when downloading files from unknown sources.
However, ACROS Security’s Mitja Kolsek revealed the silent patch, detailing the history of the issue in a blog post published today. Discussions regarding the vulnerability began as early as March 18,2025,with Trend Micro’s discovery of attackers actively exploiting the technique to mask malicious commands within Windows shortcuts.
the Microsoft patch addresses the ability to hide these commands.ACROS Security has also released a micropatch to block discovered attacks, providing an additional layer of protection. Details on the micropatch and further analysis of the vulnerability are available on the 0patch blog: https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html.
