This Windows zero-day vulnerability is being exploited: can we do anything about it?

A Windows zero-day vulnerability that has remained unpatched for eight years is actively being exploited by nation-state hackers and cybercriminals, raising concerns about its impact on global cybersecurity. Despite mounting evidence of its abuse, Microsoft has not classified it as a critical security threat, leaving many organizations exposed to potential attacks.

An old vulnerability with new dangers

The flaw, tracked as ZDI-CAN-25373, allows attackers to create malicious shortcut (.LNK) files that execute hidden commands when opened by unsuspecting users. This method has been widely used for espionage, data theft, and malware distribution, with researchers identifying over 1,000 weaponized .LNK files in recent investigations.

Cybersecurity experts have found that 70% of these exploits were orchestrated by nation-state actors, with North Korean groups leading at 46%, followed by Russia, Iran, and China at approximately 18% each. The remaining attacks were linked to financially motivated cybercriminals.

Why hasn’t Microsoft fixed it?

Despite evidence of widespread exploitation, Microsoft has downplayed the issue, considering it a user interface (UI) problem rather than a critical security flaw. The company stated that the vulnerability does not meet the criteria for an immediate security update but may be addressed in a future Windows release.

However, cybersecurity researchers argue that this is a clear security risk, emphasizing that an unpatched zero-day actively used by state-sponsored hackers should be treated as a priority.

What can users do to stay protected?

Although Microsoft has not issued a direct fix, users can mitigate risks by disabling LNK file execution from external sources, enabling advanced endpoint protection, and maintaining updated security software. Organizations should also monitor for unusual shortcut file activity and enforce strong cybersecurity policies to minimize exposure.