The
discovered issues exploit
inconsistencies in how Windows Explorer prioritizes conflicting target paths specified across multiple optional data structures within shortcut files.
The most effective variants use forbidden Windows path characters, such as double quotes, to create seemingly valid but technically invalid paths,
causing Explorer to display one target while executing another, while another uses non-conforming LinkTargetIDList values to execute a path other than the one displayed in the LinkInfo field.
"This results in the strange situation where the user sees one path in the Target field, but upon execution, a completely other path is executed.
The most powerful technique identified involves manipulating the EnvironmentVariableDataBlock structure within LNK files. By setting only the ANSI target field and leaving the Unicode field empty,
attackers can display a fake target such as "invoice.pdf" in the properties window while actually executing PowerShell or other malicious commands.
"
Microsoft Defender has detections in place to identify and block this threat activity, and
Smart App Control provides an additional layer of protection by blocking malicious files from the Internet.
However, Beukema added that "there is a reason
attackers still like LNK files - users quickly click through these sorts of warnings. Otherwise, CVE-2025-9491 wouldn't have been as 'successful' as it was either."
Today, at Wild West Hackin' Fest, security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LK shortcut files that allow attackers to deploy malicious payloads.
www.bleepingcomputer.com
