This 8-year-old Windows security flaw is still being exploited by hackers

The Security Vulnerability, Explained

The flaw in question is a zero-day vulnerability designated CVE-2025-9491, which affects the processing of LNK files on Windows and has already been exploited thousands of times.

Bringing renewed attention to this issue was a recent blog post by researchers at Arctic Wolf, who discovered that a group of hackers had once again used CVE-2025-9491 for attacks. The target was apparently several EU countries, with hackers repeatedly using this loophole to target diplomats. The most recent attacks took place at the end of 2024 in Belgium, Hungary, Italy, Serbia and the Netherlands.

The attack method is relatively simple as attackers only need to deliver a malicious file to a target device (e.g. via phishing emails). The person must then open the file, which allows the execution of malicious code that can be used, for example, for espionage purposes.

In the latest wave of attacks, hackers apparently attempted to inject a Trojan virus allowing remote access to affected devices, allowing a wide variety of commands to be executed. In the past, hacker groups from China, Iran, North Korea and Russia have used this method to distribute malicious files, according to a Trend Micro report.

Why isn’t Microsoft taking action?

According to security researchers, Microsoft was already informed of the vulnerability through Trend ZDI’s bug bounty program, but still did nothing to address it. It is unclear why Microsoft is unwilling or unable to patch a high-risk flaw that is being actively exploited.

As a result, other attacks could occur. Therefore, Windows system administrators are advised to block the execution of LNK files from unknown sources until further notice.