Since 2017, a critical unpatched Microsoft zero-day vulnerability has been exploited by at least 11 state-sponsored threat groups worldwide, impacting Windows shortcut (.lnk) files. This flaw, identified as ZDI-CAN-25373 by Trend Micro’s Trend Zero Day Initiative, allows attackers to execute malicious commands on victim machines through crafted .lnk files. The vulnerability has been exploited in industries including government, financial, telecommunications, military, and energy sectors. Among the notorious groups exploiting this flaw are entities from North Korea, Iran, Russia, and China, with North Korean actors responsible for about 45% of the attacks. Advanced persistent threat groups like Evil Corp, Kimsuky, Bitter, and Mustang Panda have been named as key players in these cyber espionage activities.
Despite widespread exploitation, Microsoft has not patched the flaw, stating it does not meet the criteria for urgent action under their severity guidelines. However, they acknowledge the risk and plan to address it in a future update. Current mitigation measures include Microsoft Defender and Windows Smart App Control, which can detect and prevent some threat activities. Users are cautioned against downloading .lnk files due to potential dangers.
Security experts express concern over the delay, urging organizations to take proactive steps. Recommendations include heightened awareness of suspicious .lnk files, conducting specific exploit scans, and improving endpoint and network protection. The consensus emphasizes the need for immediate action and clear guidance from Microsoft to assist organizations in safeguarding their digital assets. Proactive cybersecurity measures remain essential until a formal patch is released, highlighting the need for robust defense strategies in a complex threat environment.
