Overview
A recently disclosed zero-day vulnerability (ZDI-CAN-25373) in Microsoft Windows has been actively exploited by multiple state-sponsored threat actors since 2017. The vulnerability involves malicious Windows Shortcut (.LNK) files, allowing attackers to execute hidden commands, gain elevated privileges, and compromise systems without user awareness.
Despite widespread exploitation, Microsoft has no plans to release an official patch, categorizing the issue as low severity. Given the ongoing threats, Shield53 strongly advises organizations to implement immediate security controls to mitigate potential risks.
Vulnerability Details
-
CVE Identifier: ZDI-CAN-25373
-
Impact: Remote execution of malicious commands
-
Attack Vector: Windows Shortcut (.LNK) files
-
Affected Systems: All supported versions of Windows
-
Exploit Status: Actively exploited by multiple state-sponsored APT groups
-
Microsoft Response: No official patch planned; security mitigations recommended
This vulnerability enables malicious .LNK files to execute hidden commands when accessed by a user, facilitating the deployment of malware, credential theft, and persistent access within compromised systems.
Threat Actors and Exploitation
Security researchers have identified nearly 1,000 malicious .LNK file samples actively used in cyber operations, with at least 11 advanced persistent threat (APT) groups leveraging this exploit. Key actors include:
-
Evil Corp (Water Asena) – Russian cybercriminal group linked to financial theft and ransomware deployment.
-
Kimsuky (Earth Kumiho) – North Korean cyber espionage group targeting South Korea.
-
ScarCruft (Earth Manticore) – North Korean hacking team conducting intelligence-gathering operations.
-
Bitter (Earth Anansi) – South Asian cyber espionage group focused on high-value targets.
The primary targets of these attacks include government agencies, financial institutions, defense contractors, and telecommunications providers across the United States, Canada, South Korea, Vietnam, and Brazil.
Implications for Organizations
Without an official patch from Microsoft, this vulnerability remains a significant risk, particularly for organizations in highly targeted sectors. If exploited, organizations could face:
-
Unauthorized system access and persistence by advanced adversaries.
-
Exfiltration of sensitive data including financial records and proprietary information.
-
Deployment of sophisticated malware to facilitate further exploitation.
Given its low detection rate and stealthy execution method, ZDI-CAN-25373 poses a long-term threat to businesses that do not implement proper mitigations.
Recommended Mitigation Strategies
Since Microsoft has not released an official patch, Shield53 recommends implementing the following security controls immediately:
1. Restrict Execution of .LNK Files
-
Block execution of untrusted .LNK files received via email, external devices, or network shares.
-
Configure Group Policy to restrict the execution of shortcut files in unapproved directories.
2. Enhance Endpoint Security
-
Deploy behavior-based Endpoint Detection and Response (EDR) solutions to detect abnormal shortcut file executions.
-
Regularly update antivirus and threat intelligence feeds to identify and block malicious .LNK-based payloads.
3. Strengthen Network Protections
-
Monitor for suspicious command execution activities, particularly those initiated by explorer.exe processes.
-
Implement network segmentation and access controls to limit lateral movement if an attacker gains access.
4. Implement Security Awareness Training
-
Educate employees on the risks associated with opening shortcut files from untrusted sources.
-
Train users to recognize social engineering attempts that could distribute malicious .LNK files.
5. Regular Security Audits and Threat Hunting
-
Conduct proactive threat hunting to identify potential exploit attempts within the network.
-
Review security logs and track unauthorized access patterns indicative of this attack.
Conclusion
The active exploitation of ZDI-CAN-25373 highlights the continued risks posed by unpatched Windows vulnerabilities. Without an official patch from Microsoft, organizations must proactively strengthen their security posture by implementing robust detection and mitigation strategies.
Shield53 recommends that businesses immediately assess their exposure and deploy preventive controls to mitigate this threat. Organizations requiring further assistance in securing their Windows environments can contact Shield53 for expert guidance.
🔒 Stay Secure. Stay Vigilant.
– Shield53 Security Team
References