A new Windows zero-day vulnerability is being actively exploited by at least 11 hacking groups linked to nation-states including North Korea, Iran, Russia, and China for years. Despite evidence of widespread attacks dating back to 2017, Microsoft has declined to issue a security patch, labelling the issue as “not meeting the bar for servicing.”
The vulnerability, tracked by Trend Micro as ZDI-CAN-25373, allows attackers to execute malicious code on Windows systems by hiding commands within shortcut (.lnk) files. When Trend Micro submitted proof of this vulnerability through their Zero Day Initiative bug bounty program, Microsoft categorized it as low severity and stated they would not address it with an immediate security update. No CVE identifier has been assigned to the flaw.
“We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of exploitation attempts are much higher,” Trend Micro researchers stated in a blog post shared with Hackread.com.
How the Vulnerability Works
The vulnerability takes advantage of how Windows displays information about shortcut files. When a user right-clicks on a file to view its properties, Windows fails to show hidden malicious commands embedded within the file.
Hackers achieve this by inserting large numbers of blank spaces or other whitespace characters into the command line arguments of the shortcut file. These invisible characters effectively push the malicious commands beyond what’s visible in the Windows interface, making the file appear harmless to users.
What’s even more concerning, some North Korean threat actors including Earth Manticore (APT37) and Earth Imp (Konni), have created “extremely large” shortcut files, reaching sizes up to 70MB, to further complicate detection. This technique has proven effective enough that various state-backed hacking groups have exploited it in their attack methods for years.
State-Sponsored Hackers Actively Abusing the Flaw
The security firm’s analysis found that nearly half of the state-sponsored attackers exploiting this vulnerability originate from North Korea, with the remaining groups linked to Iran, Russia, and China. Approximately 70% of these campaigns focused on espionage and information theft, while over 20% aimed at financial gain.
According to researchers, organizations in various sectors are at high risk, including:
- Government
- Energy companies
- Financial institutions
- Military and defence
- Telecommunications providers.
While most victims were detected in North America, researchers noted attacks across Europe, Asia, South America, and Australia. On the other hand, industry leaders are criticizing Microsoft for not addressing such a serious vulnerability.
Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions expressed surprise at Microsoft’s decision.
“Actively exploited vulnerabilities are usually patched within a short period. It’s unusual for Microsoft to refuse to release a security patch in this situation given that it is actively being exploited by nation-state groups,” said Thomas. “Microsoft should address the vulnerability immediately to manage software risk and prevent further attacks and compromises of systems throughout the world.”
Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), is not surprised by Microsoft’s decision.
“Exploiting the vulnerability involves manipulating how Windows displays shortcut files by padding command-line arguments with whitespace characters and if this method requires a chain of specific conditions or user interactions that are unlikely in everyday scenarios, Microsoft may view it as lower risk,” Jason explained. “If the ability to do this requires the attacker to elevate privileges using an endpoint compromise, I have seen Microsoft in the past express a similar viewpoint.”
ZDI and Microsoft: A History of Cybersecurity Disputes
This is not the first time ZDI has criticized Microsoft over a security vulnerability issue. In July 2024, ZDI accused Microsoft of failing to credit them in its Patch Tuesday update and criticized its lack of transparency in vulnerability disclosure.
Another researcher, Haifei Li of Check Point, who independently discovered the same vulnerability, also went unacknowledged, further highlighting the lack of communication from Microsoft.
Nevertheless, the fact that Microsoft has chosen not to issue a patch for this flaw leaves millions of users exposed to cybersecurity threats and puts organizations at risk as nation-state hackers continue to exploit it. Therefore, to stay protected, use a strong EDR solution to detect and block malicious .lnk files. Monitor network traffic for signs of compromise, train users to avoid suspicious links, and stay updated on security alerts.
