Microsoft has changed how Windows displays information inside shortcut files after researchers confirmed that multiple hacking groups were exploiting a long-standing weakness in Windows Shell Link (.lnk) files to spread malware in real attacks.
The vulnerability, CVE-2025-9491, pertains to how Windows accesses and displays the "Target" field of a shortcut file. The attackers found that they could fill the Target field with big sets of blank spaces, followed by malicious commands. When a user looks at a file's properties, Windows only displays the first part of that field. The malicious command remains hidden behind whitespace, making the shortcut seem innocuous.
These types of shortcuts are usually distributed inside ZIP folders or other similar archives, since many email services block .lnk files outright. The attack relies on persuasion: Victims must willingly open the shortcut for the malware to gain an entry point on the system. When opened, the hidden command can install additional tools or create persistence.
Active Exploitation by Multiple Threat Groups
Trend Micro researchers documented in early 2025 that this trick was already being used broadly. Several state-backed groups and financially motivated actors had adopted the method to deliver a range of malware families, from remote access trojans to banking trojans. Later, Arctic Wolf Labs also observed attempts to use the same technique against diplomats in parts of Europe, where attackers used the disguised shortcut files to drop remote access malware.
The campaigns followed a familiar pattern. Victims received a compressed folder containing what looked like a legitimate document or utility. Inside sat a shortcut that looked ordinary but actually executed a concealed command once it was opened.
Microsoft introduces a quiet mitigation
Although Microsoft first said the bug did not meet the criteria for out-of-band servicing because it required user interaction, the company nonetheless issued a silent fix via standard Windows patching. With the patches in place, Windows now displays the full Target field in a shortcut's properties window instead of truncating the display after about 260 characters.
This adjustment does not automatically remove malicious arguments inside a shortcut, nor does it pop up with a special warning when an unusually long command is present. It merely provides full visibility to users, which may make suspicious content more easily identifiable for the more cautious users.
When questioned about the reason for the change, Microsoft repeated its long-held guidance: users shouldn't open files from unknown sources and should pay attention to its built-in security warnings.
Independent patch offers stricter safeguards
Because Microsoft's update is more a matter of visibility than enforcement, ACROS Security has issued an unofficial micropatch via its 0patch service. The update its team released limits the length of Target fields and pops up a warning before allowing a potentially suspicious shortcut to open. This more strict treatment, according to the group, would block the vast majority of malicious shortcuts seen in the wild.
This unofficial patch is now available to 0patch customers using various versions of Windows, including editions that are no longer officially supported.
How users can protect themselves
Users and organizations can minimize the risk by refraining from taking shortcuts coming from unfamiliar sources, especially those that are wrapped inside compressed folders. Security teams are encouraged to ensure Windows systems are fully updated, apply endpoint protection tools, and treat unsolicited attachments with care. Training users to inspect file properties and avoid launching unexpected shortcut files is also a top priority.
However, as the exploitation of CVE-2025-9491 continues to manifest in targeted attacks, the updated Windows behavior, user awareness, and security controls are layered together for the best defense for now.
