Update, June 9, 2025: This story, originally published on June 8, has been updated with a statement from Microsoft regarding the latest ongoing cyberattacks against Windows users.
Windows users are under attack. Yes, I know, Windows users are always under attack, it’s a byproduct of there being so many of them and threat actors focusing on such big platforms that can offer the potential for significant returns. While Linux and macOS systems are far from immune to such attacks, it’s Microsoft users who get the brunt of it. Which is why it’s so important to install updates that fix Windows vulnerabilities, and install them quickly. But what if the threat is not only well known among the cybercriminal community, has existed for many years, and still hasn’t been given a Common Vulnerabilities and Exposures identifier? Welcome to the highly dangerous world of Windows LNK file cyberattacks that are happening right now. Do not open these files.
This Windows Vulnerability Remains Unfixed And Is Being Used In Cyberattacks Right Now
The Common Vulnerabilities and Exposures system might not be perfect, but it does provide a standard and actionable method of identifying and prioritizing security vulnerabilities wherever they occur. Security vulnerabilities such as the one that impacts LNK shortcut files in the Windows operating system, and has done for many years now. Or at least it would have had the vulnerability in question been allocated a CVE identifier, which it hasn’t.
Alexander Kolesnikov, a malware analyst at Kaspersky Lab, has issued a warning to all Windows users as Kaspersky’s Global Research and Analysis Team revealed the most noteworthy Windows vulnerability being exploited so far in 2025.
ZDI-CAN-25373, the Windows LNK file vulnerability in question, has already been seen being exploited this year in zero-day attacks by cybercriminal and state-sponsored actors according to the security researchers at Trend Micro.
ZDI-CAN-25373, the Windows LNK file vulnerability in question, has already been seen being exploited in zero-day attacks by cybercriminal and state-sponsored actors, according to security researchers at Trend Micro. Now, Kolesnikov has warned that it is being actively exploited and enables threat actors to launch attacks that are obfuscated from the victim. “The main issue is that File Explorer does not fully display the data specified as parameters in application shortcuts,” Kolesnikov explained. What this means is that attackers can apply additional characters in the target field, things like spaces and line breaks for example, so that the user only sees the legitimate-looking path and has no cause for concern that anything is amiss. That’s far from the reality though, as malicious commands added, but obscured from view in File Explorer, can be used to compromise the Windows system once the LNK file is executed. “Only the first part of the path is shown in the shortcut’s properties,” Kolesnikov reiterated, adding that “the target field might include arguments at the end of the line that trigger a request to download a payload using powershell.exe.”
I reached out to Microsoft, and a spokesperson provided the following statement:
“We appreciate the work of ZDI in submitting this report under a coordinated vulnerability disclosure. Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files. While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.”
Windows users should be comforted to some degree in that Microsoft Defender includes content scanning functionality that will examine files, including these LNK ones, and is aware of the techniques used by attackers. This means that Microsoft Defender can identify malicious LNK files. The Microsoft spokesperson told me that the average Windows user does not inspect file properties. So the method described by the researchers is of limited practical use to an attacker. I’m not sure I’m 100% on board with that, and maybe if users did look at file properties before executing them, then less malware would get through.
Microsoft also told me that Windows identifies LNK shortcut files as a “potentially dangerous file type,” which means that when a user attempts to open one that had been downloaded from the internet, a security warning is automatically triggered. This warning, quite correctly, advises the user not to open files from unknown sources. “We strongly recommend heeding this warning,” Microsoft said.
