Windows: Zero-day gap in the LNK display

Trend Micro's Zero-Day Initiative (ZDI) has published information on a vulnerability classified as high-risk when displaying the content of LNK files. However, Microsoft classifies the vulnerability differently and does not plan to fix it.

It concerns a problem with the display of the contents of shortcuts that are displayed in Windows by .lnk files. These LNK files have a defined structure in which various other information (metadata) can be embedded. According to the ZDI vulnerability description, attackers can abuse the fact that the Windows user interface for displaying LNK files – which apparently means a subpage in the Windows file properties dialog – does not display dangerous content. To do this, malicious actors must manipulate data in an LNK file, causing content to remain invisible (CVE-2025-9491 / no EUVD yet, CVSS 7.0, risk"high").

"The vulnerability allows attackers from the network to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required for the exploit, they must visit a malicious page or open a malicious file," concludes the ZDI. Potential victims do not see the malicious content due to the security leak and therefore unsuspectingly execute the malicious LNK file.

Disagreement on classification

According to the ZDI, Microsoft is of the opinion that the vulnerability does not reach the severity level for treatment. Even after about six months of back and forth, Microsoft did not change its mind. Finally, ZDI published the report and has now also issued a CVE vulnerability entry for it.

LNK files are often used in attacks. For example, to install a backdoor in a Qemu Linux emulation attached to a malicious email. Vulnerabilities in LNK processing have also been around for some time. Criminals attacked an LNK gap in Windows 15 years ago.

(dmk)