It’s a reasonable expectation: when security experts uncover a dangerous flaw in widely-used software, the company responsible would rush to fix it, especially if hackers are already exploiting it. Logic dictates immediate action, a digital barricade against potential chaos. But sometimes, logic fails.
For over eight years, a critical security vulnerability in Windows has persisted, actively exploited by malicious actors, yet remains unpatched by Microsoft. This isn’t a hypothetical threat; it’s a gaping hole in the system, repeatedly breached and leveraged against unsuspecting users.
The vulnerability, designated CVE-2025-9491, centers around how Windows processes LNK files – the common shortcuts you see on desktops. It’s a zero-day, meaning it was actively exploited before a fix was even considered. Recent findings reveal a resurgence in attacks, bringing the issue back into sharp focus.
Researchers at Arctic Wolf recently documented a hacker group actively using CVE-2025-9491 to target diplomats across several European Union countries. Belgium, Hungary, Italy, Serbia, and the Netherlands were all hit in late 2024, demonstrating the flaw’s continued relevance and widespread impact.
The attack method is deceptively simple. Hackers deliver a malicious LNK file, often through phishing emails. Once opened, the file executes harmful code, potentially granting attackers access to sensitive information or complete control over the compromised system. It’s a classic, yet effective, technique.
The latest attacks involved attempts to install a Trojan virus, enabling remote access and a vast range of malicious commands. Reports from Trend Micro indicate that hacker groups linked to China, Iran, North Korea, and Russia have all utilized this vulnerability to distribute malware in the past.
What’s truly baffling is Microsoft’s inaction. Security researchers alerted the company to this flaw through their bug bounty program, Trend ZDI, yet a patch remains elusive. The reasons behind this decision – or inability to act – remain shrouded in mystery.
The consequence of this inaction is clear: further attacks are almost guaranteed. Until Microsoft addresses CVE-2025-9491, Windows administrators are strongly advised to block the execution of LNK files originating from untrusted sources. It’s a temporary safeguard, but a necessary one in the face of ongoing risk.
