CVE-2025-9491

✓ Confirmed 0-Day

Triaged: March 5, 2026 6 articles Published: 2025-08-26

VulnLookup ↗ NVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-24

0.85%

probability

This CVE has a 0.85% probability of being exploited in the next 30 days.

0% Top 75.2th percentile of all CVEs 100%

CVSS v4.0 NEW

Source: VulnerabilityLookup (CIRCL)

4.6

MEDIUM

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

Active

Vulnerable System Confidentiality Impact

None

Vulnerable System Integrity Impact

Low

Vulnerable System Availability Impact

None

Subsequent System Confidentiality Impact

None

Subsequent System Integrity Impact

None

Subsequent System Availability Impact

None

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS v3.0

Source: VulnerabilityLookup (CIRCL)

7.0

HIGH

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of .LNK files. Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25373.

Affected Products

Microsoft

Windows

11 Enterprise 23H2 22631.4169 x64

Attack Intelligence

CWE-221 · Information Loss or Omission CWE-451 · User Interface (UI) Misrepresentation of Critical Information CWE-664 · Improper Control of a Resource Through its Lifetime CWE-684 · Incorrect Provision of Specified Functionality CWE-710 · Improper Adherence to Coding Standards

Exploits & PoC

Amperclock/CVE-2025-9491_POC

Proof-of-Concept of the CVE-2025-9491 using invisible characters in the arguments of a Windows shortcut file (.lnk)

1 repo — triés par ⭐ Rechercher sur GitHub ↗

https://www.zerodayinitiative.com/advisories/ZDI-25-148/

x_research-advisory

Signal Intelligence

Confidenceⓘ

85%

EPSS 0.85%

CVSS v4.0 4.6

CVSS v3.0 7.0

Mentions 6

Last Seen Feb 12, 2026

CNA Information

CNA Assigner

zdi

CNA Title

Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability

Analyst Note

CVE-2025-9491 shows clear zero-day characteristics: active exploitation documented across multiple sources (European diplomats, 11 state groups since 2017), exploitation preceded or coincided with Microsoft's silent patch in November 2025 Patch Tuesday. The TheHackerNews article explicitly confirms Microsoft patched after "years of active exploitation," establishing in-the-wild use before patch availability.