Urgent Windows 0-Day and Critical Flaw Actively Exploited
▼ Summary
– Two Windows vulnerabilities—one a zero-day known since 2017 and another critical flaw Microsoft failed to patch—are being actively exploited in widespread attacks.
– The zero-day vulnerability, tracked as CVE-2025-9491, stems from a bug in the Windows Shortcut binary format and has been exploited by up to 11 APT groups since 2017.
– These attacks have targeted infrastructure in nearly 60 countries, with the US, Canada, Russia, and Korea being the most affected.
– A China-aligned threat group, UNC-6384, is currently exploiting CVE-2025-9491 against various European nations, deploying the PlugX remote access trojan.
– The coordinated attacks across multiple European nations suggest a large-scale intelligence operation or parallel teams with shared tools and centralized development.
A serious security crisis is unfolding as two distinct Windows vulnerabilities face active exploitation in widespread attacks across global networks. Security researchers have identified both a previously unknown zero-day flaw that attackers have secretly used since 2017 and a critical vulnerability that Microsoft unsuccessfully attempted to fix in a recent update. These weaknesses are now being leveraged in coordinated campaigns affecting numerous organizations worldwide.
The zero-day vulnerability remained completely undetected until March, when Trend Micro security analysts uncovered evidence that it had been actively exploited for years. Their investigation revealed that as many as eleven separate advanced persistent threat groups, often with suspected nation-state connections, have systematically used this security hole to target specific high-value individuals and organizations. These sophisticated attackers exploited the flaw, originally tracked as ZDI-CAN-25373, to install various known post-exploitation tools across infrastructure spanning nearly sixty countries, with the United States, Canada, Russia, and Korea experiencing the highest concentration of attacks.
Seven months after its discovery, Microsoft has yet to release a patch for this vulnerability, which originates from a fundamental bug within the Windows Shortcut binary format. This Windows component simplifies opening applications or accessing files by allowing a single binary file to launch them without requiring users to navigate through complex directory structures. The vulnerability tracking designation has since been updated from ZDI-CAN-25373 to CVE-2025-9491 in recent security bulletins.
This Thursday brought further concerning developments when security firm Arctic Wolf reported observing a China-aligned threat group, tracked as UNC-6384, actively exploiting CVE-2025-9491 in targeted attacks against various European nations. The attackers’ final payload consistently delivers PlugX, a widely recognized remote access trojan that provides extensive control over compromised systems. To enhance stealth and evade detection, the exploit maintains the binary file encrypted using RC4 format until the final stage of the attack sequence executes.
“The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf analysts stated in their threat advisory. They further noted that “the consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams,” pointing toward a highly organized and well-resourced threat actor behind these campaigns.
(Source: Ars Technica)
