Active exploitation of two critical Windows vulnerabilities: One is a Multi-Year Zero-Day

Security researchers have issued a critical alert regarding the active and widespread exploitation of two serious Windows vulnerabilities. Most worryingly, one of them is a zero-day (a flaw unknown to the vendor) that, according to investigations, has been used by attackers since 2017, and remains unpatched by Microsoft.

The attacks are targeting a wide range of users and organizations, suggesting a coordinated, large-scale operation.

1. The Shortcut Zero-Day (.lnk) - CVE-2025-9491

This flaw, now tracked as CVE-2025-9491, resides in the binary format of Windows Shortcuts (.lnk), the component that enables fast access to applications or files.

• Age and Use: It was discovered by Trend Micro in March, indicating that it had been under active exploitation since 2017 by up to 11 separate APT groups (Advanced Persistent Threats, often linked to nation-states).
• Current Attack: Recently, the firm Arctic Wolf reported that a China-aligned threat group (UNC-6384) is actively exploiting this vulnerability in Europe to deploy the remote access trojan PlugX. To evade detection, the exploit keeps the binary file encrypted in RC4 format until the final step of the attack.
• Severity and Mitigation: The vulnerability has a severity rating of 7 out of 10. Since Microsoft has yet to release a patch, the most effective countermeasure for users is to restrict the use of .lnk files from untrusted origins by disabling their automatic resolution in Windows Explorer.

2. The Critical WSUS Flaw - CVE-2025-59287

The other vulnerability, classified with a critical severity rating of 9.8 out of 10, resides in Windows Server Update Services (WSUS). WSUS is the tool administrators use to manage the installation and updating of applications across vast server fleets.

• Flaw and Incomplete Patch: This flaw allows for remote code execution (RCE) and has wormable potential. Microsoft unsuccessfully attempted to fix it the previous week during the October Patch Tuesday release. Publicly released Proof-of-Concept (PoC) code quickly demonstrated that the attempted fix was incomplete.
• Active Exploitation: A few days after Microsoft released its second fix attempt, security firms like Huntress and Sophos detected the exploitation of CVE-2025-59287 in multiple customer environments. These attacks affected internet-facing WSUS servers across various industries, though they did not appear to be targeted attacks.

The coordinated activity observed with the zero-day (.lnk) suggests a centralized intelligence operation. Concurrently, the rapid exploitation of the WSUS flaw shows that attackers are highly attentive to newly disclosed vulnerabilities.

It is urgent that administrators immediately investigate whether their devices are vulnerable to either of these ongoing attacks. Currently, there is no official indication of when Microsoft will release a fix for the zero-day (CVE-2025-9491).

The original article detailing the exploitation of both vulnerabilities can be consulted at Ars Technica: Two Windows vulnerabilities, one a 0-day, are under active exploitation.