CVE-2025-9491: Windows LNK Flaw Exploited Since 2017—Microsoft Won't Patch
Category:Vulnerabilities / Microsoft
CVE-2025-9491 (aka ZDI-CAN-25373) is a Windows LNK file vulnerability that state actors have quietly exploited since at least 2017. The technique is elegant: attackers embed command-line arguments in LNK Target fields but pad them with whitespace, pushing malicious commands beyond visible UI bounds—users inspecting properties see only benign targets. UNC6384 recently leveraged this against European diplomatic entities in September-October 2025, deploying PlugX RAT via DLL side-loading through legitimate signed Canon utilities. What's interesting: ZDI disclosed this to Microsoft in September 2024 with evidence of exploitation by North Korean, Iranian, Russian, and Chinese groups—but Microsoft decided it doesn't meet the bar for servicing. Their response relies on Defender and Smart App Control rather than fixing the root cause.
CORTEX Protocol Intelligence Assessment
This is textbook User Interface Misrepresentation (CWE-451). The attack is clever—malicious arguments padded to hide beyond the UI window. UNC6384's recent campaign used obfuscated PowerShell that extracts and deploys multi-stage malware chains, culminating in PlugX deployment within legitimate signed processes. What's notable: Microsoft acknowledged the report and the widespread exploitation evidence but won't patch. ZDI disclosed in Sept 2024; no fix coming.
Strategic Intelligence Guidance
- Exploited since 2017 by multiple state-sponsored groups (DPRK, Iran, Russia, China)
- Recent campaign: UNC6384 targeting European diplomatic entities Sept-Oct 2025
- Attack vector: malicious LNK files with whitespace-padded command arguments
- Payload delivery: PlugX RAT via DLL side-loading using legitimate Canon utilities
- Microsoft stance: acknowledged but won't patch, relies on Defender mitigations
CVEs
Vendors
Threats
Targets
Intelligence Source: Unpatched Windows vulnerability continues to be exploited by APTs (CVE-2025-9491) | Nov 1, 2025