#VU105851 Spoofing attack in Windows and Windows Server - CVE-2025-9491
Published: March 18, 2025 / Updated: January 9, 2026
Vulnerability identifier: #VU105851
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2025-9491
CWE-ID: CWE-451
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Windows
Windows Server
Windows
Windows Server
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in .lnk files. A remote attacker can hide command line arguments inside an .lnk file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Note, the vulnerability is being actively exploited in the wild.
Remediation
Install update from vendor's website.