Windows Vulnerabilities Under Active Exploitation

Two critical Windows vulnerabilities are currently being exploited in extensive attacks, raising concerns among users and security experts. One of these vulnerabilities, known as a zero-day, has been in the hands of attackers since 2017, while the other was a recent critical flaw that Microsoft struggled to patch effectively.

Overview of the Vulnerabilities

The zero-day vulnerability remained undiscovered until March 2025. Security firm Trend Micro revealed that it had been actively exploited by multiple advanced persistent threat (APT) groups, reportedly impacting systems in nearly 60 countries. The most frequent targets include the US, Canada, Russia, and Korea.

This zero-day vulnerability, tracked as ZDI-CAN-25373 and later assigned CVE-2025-9491, arises from a bug in the Windows Shortcut binary format. This feature aids in opening applications and accessing files swiftly without navigating through directories. Despite its critical nature, Microsoft has not released a patch for this vulnerability even seven months post-discovery.

Active Threats and Coordination Among Attackers

On October 31, the security firm Arctic Wolf reported that a China-aligned threat group, referred to as UNC-6384, was exploiting CVE-2025-9491 against various European nations. The exploit leads to the deployment of a widely recognized remote access trojan known as PlugX. Notably, the malware is kept encrypted in RC4 format until the final stage of the attack, enhancing its concealment.

Arctic Wolf emphasizes that the extensive targeting across multiple European nations within a short period suggests either a large-scale coordinated intelligence collection operation or the operation of multiple independent teams using shared tools.

Mitigation Strategies

With no patch currently available, users can consider several countermeasures. One effective strategy involves restricting the use of .lnk files from untrusted sources. This can be achieved by modifying settings in Windows Explorer to disable the automatic resolution of these files. The severity rating for CVE-2025-9491 is rated at 7 out of 10.

Additional Vulnerability and Recent Updates

The second vulnerability, which Microsoft patched recently, is known as CVE-2025-59287, with a severity rating of 9.8. This flaw affects the Windows Server Update Services, which handle updates for a vast number of servers. After failing to fully patch this vulnerability in an earlier update, Microsoft issued an unscheduled patch following reports of exploitation.

Security firm Sophos reported observing the active exploitation of this vulnerability across several customer environments, indicating widespread attempts to take advantage of the flaw.

Immediate Action Required

Administrators are urged to investigate potential vulnerabilities in their systems, particularly regarding the ongoing exploitation of CVE-2025-9491. As of now, there is no indication of when a patch will be available.

In conclusion, these vulnerabilities underscore the ongoing challenges faced by Windows users and administrators in securing their systems against sophisticated threats. Potential users are encouraged to stay informed and proactive in their approach to security.