Windows shortcuts’ use as a vector for malware may be cut short

A longstanding problem with the way Windows handles LNK shortcut files, which attackers have been abusing for years to hide malicious commands in plain sight, may finally have been fixed, with more than one patch now available to users.

The problem was that threat actors could mask a harmful payload in the Target field of an LNK file downloaded from the internet, adding whitespace padding so the payload was hidden from anyone inspecting the field.

Microsoft has been reluctant to classify the issue as a vulnerability.

“We have investigated this report and determined that it does not meet the bar for classification as a vulnerability,” Microsoft said in a November 2025 advisory. “Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the internet.”

However, third-party patch provider 0patch noted in a blog post that a recent Windows update quietly addressed the issue by forcing the Target field to display all arguments. Even so, the company said, the exploit can still succeed. It said its own micropatch offers a more effective solution.

The two fixes land after years of reported LNK file exploitation by APT groups from North Korea, Iran, Russia, and most recently by a China-linked campaign against European diplomats.

Microsoft’s patch

Windows shortcut files (.lnk) have long been a convenient hiding place for attackers because Windows Explorer only displayed the first 260 characters of the command in a shortcut’s properties. Anything appended after a long string of spaces stayed invisible to the user.

The issue is tracked as CVE-2025-9491, with security analysts assigning a high-severity CVSS rating of 7.0.

“A .lnk file structure allows the target arguments to be a very long string (tens of thousands of characters), but the ‘Properties’ dialog only shows the first 260 characters, silently cutting off the rest,” 0patch researchers said. “So it is possible to construct a .lnk file that runs a really long PowerShell or BAT script, but only the first 260 characters of it would be shown to the user who viewed its properties.” These shown characters can be mostly whitespaces, pushing the malicious element entirely out of sight.

To the victim, the .lnk file looked like it opened a folder or launched a trusted application, but in reality, it could execute an arbitrary script, a dropper, or living-off-the land command.

0patch researchers confirm the issue to have been somewhat resolved after Microsoft quietly” bundled a fix into its November Windows Updates. “There was no mention of anything remotely akin to this issue among its 63 patched vulnerabilities,” the researchers said, adding the fix was likely applied under the guise of a functional bug rather than a security vulnerability.

“Now, the ‘Properties’ dialog of a .lnk file shows the entire Target command with arguments, no matter how long it is,” the researchers added. Microsoft did not immediately respond to CSO’s request for comments.

0patch claims its patch is better

0patch has a problem with Microsoft’s patch, which it says fixes only the user-interface (visibility) part and not the underlying Windows behavior (executing a malicious command). The assumption behind Microsoft’s patch is that users can manually spot malicious commands in longer .lnk Target fields once they are fully displayed.

0patch argues it is likely to fail on two counts. First, only experienced IT users can tell if the Target field carries malicious executables by just looking at them. And second, in most legitimate cases, .lnk files with Target fields longer than 260 characters are created programmatically (using Windows API) and are defaulted to be automatically processed by Windows Explorer and not manually.

So, Microsoft’s patch still allows a hidden malicious script to execute if the user fails to recognize and block it.

To solve this, 0patch proposes its own micropatch for versions of Windows from 7 through 11 22H2 and Windows Server from 2008 R2 through 2022. If a process opens a .lnk file through Windows Explorer and the Target field exceeds 260 characters, it simply truncates the Target to 260 characters and displays a warning that a suspicious shortcut was shortened. This both alerts the user and prevents malicious execution, and 0patch claims the fix successfully handled more than 1000 malicious shortcuts previously identified by Trend Micro.