Spoofing attack in Windows and Windows Server - CVE-2025-9491
Published: March 18, 2025 / Updated: January 9, 2026
Vulnerability identifier: #VU105851
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2025-9491
CWE-ID: CWE-451
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Microsoft
Affected software:
Windows
Windows Server
Windows
Windows Server
Detailed vulnerability description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in .lnk files. A remote attacker can hide command line arguments inside an .lnk file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Note, the vulnerability is being actively exploited in the wild.
How to mitigate CVE-2025-9491
Install update from vendor's website.