A highly advanced zero-day vulnerability has been covertly exploited for years by multiple state-sponsored hacking groups, underscoring its severe security risks. This flaw leverages Windows shortcut (.lnk) files, enabling attackers to stealthily execute malicious commands without detection.
However, Microsoft tagged it as “not meeting the bar servicing” in late September and said it wouldn’t release security updates to address it. While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend Micro is tracking it internally as ZDI-CAN-25373 and said it enables bad actors to execute arbitrary code on affected Windows systems.
Trend Micro’s experts have linked the vulnerability to cyber-espionage campaigns and data breaches targeting entities globally.
Their research reveals that since 2017, ZDI-CAN-25373 has been actively used by 11 nation-state actors from North Korea, Iran, Russia, and China. Trend Micro’s Zero Day Initiative (ZDI) has identified nearly 1,000 malicious .lnk samples exploiting this flaw, with evidence suggesting that many more remain undetected.
According to the researchers, “ZDI-CAN-25373 relates to the way Windows displays the contents of shortcut (.lnk) files through the Windows UI. By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim. Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”
Real-World Attacks
APT groups have demonstrated numerous methods of taking advantage of this vulnerability. For instance, malicious .LNK files are attached in phishing emails masquerading as legitimate documents or attachments. When opened, the malicious shortcut executes the code in silent mode.
Later, when run, these .LNK files typically download additional payloads such as keyloggers, credential stealers, or remote access tools (RATs), which grant the attackers full control of the compromised machine.
Scan immediately
The researchers said: “Organizations should immediately scan and ensure security mitigations for ZDI-CAN-25373, maintain vigilance against suspicious .lnk files, and ensure comprehensive endpoint and network protection measures are in place to detect and respond to this threat. Trend Micro customers are protected from possible attempts to exploit the vulnerability via rules and filters that were released in October 2024 and January 2025.
Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, says actively exploited vulnerabilities are usually patched within a short period of time. “It’s unusual for Microsoft to refuse to release a security patch in this situation given that it is actively being exploited by nation state groups. Microsoft should address the vulnerability immediately to manage software risk and prevent further attacks and compromises of systems throughout the world.”
In this instance, exploiting the vulnerability involves manipulating how Windows displays shortcut files by padding command-line arguments with whitespace characters, adds Jason Soroko, Senior Fellow at Sectigo. “If this method requires a chain of specific conditions or user interactions that are unlikely in everyday scenarios, Microsoft may view it as lower risk. If the ability to do this requires the attacker to elevate privileges using an endpoint compromise, I have seen Microsoft in the past express a similar viewpoint.
Microsoft Update
A Microsoft spokesperson added: “We appreciate the work of ZDI in submitting this report under a coordinated vulnerability disclosure. Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files. While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.