Photo by Clint Patterson on Unsplash
So here’s something alarming (and a little frustrating): two serious Windows vulnerabilities are currently being exploited in live attacks across the internet. One of these flaws is brand new, but the other? It’s a zero-day that’s been silently abused by hackers since 2017 — and still hasn’t been patched.
Let’s break it down.
The Shortcut Flaw That’s Still Wide Open
Photo by Pawel Czerwinski on Unsplash
Back in March, cybersecurity researchers at Trend Micro uncovered something pretty chilling. A Windows zero-day vulnerability — now tracked as CVE-2025-9491 — had been used by at least 11 advanced persistent threat (APT) groups since 2017. These aren’t your run-of-the-mill hackers. We’re talking about nation-state-level actors quietly installing malware in over 60 countries, including the US, Canada, Russia, and Korea.
The flaw lives in the Windows Shortcut (.lnk) feature — the little files that let you open apps or files with a click, without digging through folders.
The twist? Microsoft still hasn’t fixed it. Seven months after it was made public.
This shortcut bug works by exploiting how Windows reads .lnk files. Attackers encrypt a malicious payload, typically using RC4 encryption, and only decrypt it at the last step — making it harder to detect. The end goal is often to install PlugX, a remote access trojan that gives hackers control over infected computers.
We now know that a threat group called UNC-6384 — believed to be aligned with China — has been using this exact vulnerability in attacks across Europe. Security company Arctic Wolf confirmed this on Thursday, adding that the attacks appear coordinated and widespread.
With no official patch in sight, defenders are left with few real options. The best mitigation for now? Block .lnk files from unknown sources and stop Windows from automatically handling them.
The WSUS Flaw That Won’t Stay Fixed
The second flaw, CVE-2025-59287, targets Windows Server Update Services (WSUS), which IT admins use to deploy software across networks. This one’s about as bad as it gets — a 9.8 severity rating — because it opens the door to remote code execution. That means attackers can potentially take full control of affected servers.
Microsoft tried to fix it during their October Patch Tuesday, but their patch didn’t quite cut it. Security researchers quickly proved that the fix was incomplete.
Photo by Peter Conrad on Unsplash
By October 23, attackers were already exploiting the vulnerability. By October 24, it hit multiple customer environments across industries, according to security firms Huntress, Eye, and Sophos. These weren’t targeted hacks — they were broad, sweeping attacks aimed at anything with a vulnerable, internet-facing WSUS server.
It’s still not clear whether the attackers used the publicly available proof-of-concept exploit or built their own.
What You Can Do Right Now
If you use Windows — especially in large, server-heavy environments — now’s a good time to take inventory. Here’s what you can do:
- For CVE-2025-9491 (the .lnk shortcut vulnerability):
- Restrict or block .lnk file execution from untrusted sources
- Disable automatic resolution of .lnk files in Windows Explorer
- Keep a close eye on your endpoint detection systems
- For CVE-2025-59287 (the WSUS vulnerability):
- Make sure your servers are running the latest update released last week
- Look for any recent suspicious activity starting around October 23
- Consider taking vulnerable WSUS instances off the internet, if possible
This is a reminder that patching, monitoring, and limiting exposure really matter. Especially when some flaws linger for years before coming to light—and still don’t get fixed right away.
Stay safe out there.
