Windows shortcut covert command execution ZDI-CAN-25373 security flaw
Vulnerability
Summary
Hide ▲
Show ▼
ZDI-CAN-25373 is a Windows shortcut flaw that was actively exploited through malicious LNK files, enabling covert command execution in espionage campaigns. Disclosed in March 2025 and used again in September and October 2025, the vulnerability widened the risk for users who opened weaponized shortcut files. The issue mattered because it let attackers hide command execution inside seemingly normal diplomatic-lure traffic.
Related Happenings
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
ClickFix social-engineering initial access campaign
Campaign
First: 23.03.2026 17:35
Last: 23.03.2026 17:35
Sources 1
About this happening:
In 2025, **ClickFix** spread across **dozens of threat clusters**, turning a social-engineering prompt into a **widespread initial access** path that increased compromise risk. Th...
ClickFix social-engineering initial access campaign
CampaignAbout this happening: In 2025, **ClickFix** spread across **dozens of threat clusters**, turning a social-engineering prompt into a **widespread initial access** path that increased compromise risk. Th...
Lnk-it-up open-source suite for generating and detecting malicious Windows LNK shortcuts
Security Tool/Service
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
About this happening:
**lnk-it-up** is a newly released open-source suite for **Windows LNK shortcuts** that helps testers generate deceptive files and helps defenders spot shortcuts where **Explorer**...
Lnk-it-up open-source suite for generating and detecting malicious Windows LNK shortcuts
Security Tool/ServiceAbout this happening: **lnk-it-up** is a newly released open-source suite for **Windows LNK shortcuts** that helps testers generate deceptive files and helps defenders spot shortcuts where **Explorer**...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
Vulnerability
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
About this happening:
**Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
VulnerabilityAbout this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Timeline
-
31.10.2025 14:10 2 articles · 6mo ago
Initial report: Windows shortcut covert command execution ZDI-CAN-25373 security flaw
Initial DisclosureThe flaw was disclosed in **March 2025** and later used in **September and October 2025** through malicious **LNK files**. Early exploitation centered on covert command execution from opened Windows shortcut files.
Show sources
- Chinese-Linked Hackers Exploit Windows Flaw to Spy on Belgian and Hungarian Diplomats — www.infosecurity-magazine.com — 31.10.2025 14:10
- Chinese-Linked Hackers Exploit Windows Flaw to Spy on Belgian and Hungarian Diplomats — www.infosecurity-magazine.com — 31.10.2025 14:10