Two Windows vulnerabilities, one a 0-day, are under active exploitation

Windows Vulnerabilities Under Active Exploitation: A Growing Concern

Two significant Windows vulnerabilities, including a zero-day exploit that has been known to attackers since 2017, are being actively exploited in widespread attacks targeting a large portion of the internet. According to recent reports, these vulnerabilities are being leveraged by advanced persistent threats (APTs) to install malicious payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common targets.

The zero-day vulnerability, initially tracked as ZDI-CAN-25373 and now designated as CVE-2025-9491, stems from a bug in the Windows Shortcut binary format. This Windows component is designed to make opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. Despite being discovered in March, Microsoft has yet to patch this vulnerability, leaving it open to exploitation by malicious actors.

Coordinated Attacks and Exploitation

Security firm Arctic Wolf recently reported that a China-aligned threat group, tracked as UNC-6384, is exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack. This suggests a high level of sophistication and coordination among the attackers, with Arctic Wolf noting that “the breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting.”

Expert Analysis and Recommendations

Experts emphasize the importance of patching vulnerabilities promptly and highlight the need for robust security measures to prevent exploitation. As noted by Trend Micro, the exploitation of CVE-2025-9491 has been ongoing since 2017, with as many as 11 separate APT groups leveraging the vulnerability to install various known post-exploitation payloads. This underscores the need for continuous monitoring and vigilance in the face of evolving cyber threats. For more information on these vulnerabilities and the ongoing attacks, readers can refer to the original report.

Image Credit: arstechnica.com