Urgent Windows Flaw CVE-2025-9491 Actively Exploited by Hackers

A critical security flaw within the Windows operating system, identified as CVE-2025-9491, is currently being actively exploited by sophisticated hacking groups. This vulnerability, which has been leveraged in cyber espionage campaigns since at least 2017, allows attackers to execute malicious code on targeted systems. Recent attacks have focused on European diplomatic bodies and government aviation departments, highlighting the ongoing risk to both public and private sector organizations.

According to threat researchers at Arctic Wolf Labs, a campaign detected with high confidence is attributed to a threat actor known as UNC6384. This assessment is based on multiple lines of evidence, including shared malware tooling, tactical procedures, targeting patterns, and overlaps in infrastructure with previously documented operations by the same group.

The targets in this recent espionage effort included diplomatic entities across Hungary, Belgium, Italy, and the Netherlands, as well as aviation departments within the Serbian government. Between September and October 2025, UNC6384 distributed spearphishing emails containing embedded URLs. These links ultimately led to the delivery of malicious LNK files disguised with themes related to European Commission meetings and NATO workshops.

These files exploit CVE-2025-9491 to run obfuscated PowerShell commands. The commands extract and deploy a multi-stage malware chain that culminates in the installation of the PlugX remote access trojan. This is achieved through DLL side-loading, a technique that uses legitimate, digitally signed Canon printer assistant utilities to mask the malicious activity.

The vulnerability, also known as ZDI-CAN-25373, was publicly disclosed in March 2025 by Peter Girnus, a threat hunter with Trend Micro’s Zero Day Initiative. It is classified as an example of User Interface Misrepresentation of Critical Information. The flaw enables attackers to craft malicious LNK shortcut files with command line arguments embedded in the Target field. These arguments are padded with whitespace or other characters, making them difficult for users to spot when inspecting the file through the standard Windows interface. If a user executes the shortcut, these hidden arguments are passed to the system, resulting in unauthorized code execution.

In these attacks, UNC6384 combined this technique with decoy PDF documents. The malicious payload was decrypted and executed directly in memory via DLL side-loading, further concealing the intrusion. Arctic Wolf researchers explained that this three-stage execution flow successfully deploys PlugX malware, which then runs stealthily within a legitimate signed process. This significantly reduces the likelihood of detection by standard endpoint security solutions.

In early September, Arctic Wolf also observed UNC6384 using an HTA file configured to run invisibly in the background. This file loaded external JavaScript from a CloudFront URL, which in turn retrieved the payload from a CloudFront-based command and control server. This delivery mechanism was used to distribute three critical files: cnmpaui.exe, cnmpauix.exe, and cnmplog.dat.

ZDI reported the vulnerability to Microsoft in September 2024, providing information that it had been exploited multiple times in the past by various state-sponsored and cybercrime groups from North Korea, Iran, Russia, and China. Microsoft acknowledged the report but decided the vulnerability did not meet its servicing criteria. At that time, Microsoft stated that Microsoft Defender has detections to identify and block this threat activity, and that Smart App Control offers an additional layer of protection by blocking malicious files from the internet. However, the company indicated it would consider addressing the issue in a future feature release.

Inquiries have been made to Microsoft regarding whether a fix for this vulnerability is planned, and this article will be updated with any new information received.

(Source: HelpNet Security)