# Title: Windows LNK File UI Misrepresentation Remote Code Execution # Date: 2025-01-04 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.microsoft.com # Software Link: N/A (Windows OS component) # Version: Windows 10, Windows 11, Windows Server 2016/2019/2022 # Tested on: Windows 10 22H2, Windows 11 23H2 # CVE: CVE-2025-9491 # CVSS: 8.8 ###Description: A critical vulnerability exists in Microsoft Windows LNK file handling that allows attackers to create malicious shortcut files that appear legitimate in Windows Explorer while executing arbitrary commands. The vulnerability is a UI misrepresentation flaw where Windows incorrectly displays file properties. ### Exploit: [href](https://raw.githubusercontent.com/nu11secur1ty/Windows11Exploits/refs/heads/main/2025/CVE-2025-9491/Exploit/CVE-2025-9491.py) ### Technical Details: The vulnerability allows attackers to craft LNK files with: 1. Legitimate-looking icons (document, PDF, Windows Update shield) 2. Misleading descriptions ("Security Update", "Important Document") 3. Hidden command execution in arguments field 4. Window state set to hidden (SW_SHOWMINNOACTIVE = 7) When a user opens the malicious LNK file, Windows Explorer shows it as a harmless document, but the file actually executes commands with the user's privileges. No security warnings are displayed to the user. ### Proof of Concept: An LNK file can be created that: - Shows as "Windows Security Update" with shield icon - Actually executes: cmd.exe /c powershell -Command "malicious_payload" - Runs with hidden window (WindowStyle = 7) ### The LNK file can be delivered via: 1. Email attachments 2. Network shares 3. Web downloads 4. USB devices 5. Compressed archives ### Impact: - Remote Code Execution with user privileges - No user warnings or security prompts - Complete UI deception - Easy to weaponize ### Mitigation: 1. Enable display of file extensions in Windows Explorer 2. Block .LNK file attachments at email gateways 3. Implement application control (AppLocker, WDAC) 4. Monitor for hidden process execution 5. User education about suspicious files ### Vendor Status: Microsoft has been notified. No patch available as of 2025-01-04. References: - CVE-2025-9491 - Microsoft Security Response Center Note: This information is for defensive purposes only. Unauthorized testing against systems you don't own is illegal.