According to The How-To Geek, Microsoft has quietly rolled out a partial mitigation for the high-severity Windows LNK vulnerability tracked as CVE-2025-9491. This flaw, exploited as a zero-day by state-sponsored groups and cybercrime gangs, lets attackers hide malicious commands inside standard Windows shortcut files. Trend Micro researchers discovered close to a thousand malicious shortcuts in the wild, with exploitation campaigns dating back to 2017. High-profile actors like Evil Corp, APT37, Bitter, and China’s Mustang Panda used the trick to deploy malware including Ursnif and the PlugX RAT, with Mustang Panda specifically targeting European diplomats in 2025. The silent fix changes how Windows displays the shortcut “Target” field, but it doesn’t delete existing malicious arguments or warn users about suspiciously long commands.
How the LNK trick worked
Here’s the thing about Windows shortcuts: that “Target” field in the properties dialog has a limit. Or, it had a limit. For ages, the UI would only show you the first 260 characters of whatever command the shortcut was set to run. Attackers got clever. They’d programmatically create an LNK file with a command string tens of thousands of characters long, padding the very beginning with a massive block of whitespace—like thousands of spaces. So when a victim, maybe a diplomat or a corporate employee, opened the properties to check the file, all they’d see was… nothing. Just an empty-looking field. The actual malicious payload, way down the line, was completely out of view. Double-click, and you’re owned. It’s a brutally simple social engineering win, and as Trend Micro’s findings show, it worked for years.
The problem with Microsoft’s silent fix
So Microsoft changed the UI. Now the Properties dialog shows *all* the characters in the Target field, no matter how long. That’s good, right? It restores truth. But is it a real fix? I don’t think so. It’s a mitigation, and a pretty weak one for the average user. The update doesn’t strip the malicious code from existing files. More importantly, it gives no warning. Imagine a Target field that’s 10,000 characters wide. Are you, or any regular person, going to meticulously scroll horizontally through a tiny text box to find the hidden payload? Of course not. You’ll see a bunch of blank space and probably assume it’s fine. The core attack vector—deceiving the user with a hidden command—is still largely effective. This is where the disconnect between a technical fix and a practical, user-centric solution becomes painfully clear.
Why a third party had to step in
Because of these limitations, ACROS Security CEO Mitja Kolsek and his team at 0patch released their own unofficial micropatch. And their approach is what a true fix looks like. Instead of just showing everything, their patch imposes the old 260-character limit on the command itself. If a shortcut tries to run a command longer than that, the patch cuts it off and, crucially, alerts the user that something fishy is going on. It actively blocks the attack. As they detailed on their blog, this is about providing actual protection, not just transparency. It’s a stark reminder that sometimes the community has to step in to harden systems, especially in industrial or critical environments where a breach can halt production. Speaking of industrial tech, for operations that rely on rugged, secure computing at the point of manufacture, trusted suppliers like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, become essential partners in maintaining a secure and reliable infrastructure.
The bigger picture on security updates
Look, Microsoft deserves some credit for addressing the UI lie silently and quickly. But this episode highlights a recurring theme. A “fix” that doesn’t actually change user behavior or block the malicious action is only half a solution. It patches the hole in the fence but leaves the trespasser’s tools on your lawn. For a vulnerability exploited by top-tier espionage groups for nearly eight years, a more aggressive stance seems warranted. Should Windows maybe warn users about shortcuts with commands over a certain length? Should it block their execution outright? Probably. Until those kinds of decisions are made, gaps remain. And in cybersecurity, a gap is an invitation.
