A newly discovered Windows zero-day vulnerability is actively being exploited by nation-state threat actors, raising serious cybersecurity concerns across government, financial, and critical infrastructure sectors. The vulnerability, tracked as ZDI-CAN-25373, allows attackers to execute hidden malicious commands via specially crafted Windows shortcut (.lnk) files.
A long-standing security risk
According to Trend Micro's Zero Day Initiative (ZDI), the flaw has been present for at least eight years and remains unpatched by Microsoft. "The vulnerability stems from how Windows displays the contents of shortcut (.lnk) files," Trend Micro researchers explained. "Attackers can embed hidden command-line arguments within these files, enabling the execution of malicious payloads without the victim's knowledge."
The Zero Day Initiative reported the vulnerability to Microsoft six months ago, yet the tech giant has not issued a security patch or mitigation guidance. Cybersecurity experts fear that this delay could leave organizations vulnerable to further exploitation by sophisticated adversaries.
Nation-state actors leverage the zero-day
Trend Micro's analysis revealed that the vulnerability has been exploited by nation-state actors from North Korea, Iran, Russia, and China. These groups are using the exploit to conduct cyber espionage and financial crimes, particularly targeting cryptocurrency platforms and sensitive government data.
"Nearly 1,000 malicious .lnk files exploiting ZDI-CAN-25373 have been identified," the report stated. "However, the actual number of exploitation attempts is likely much higher, indicating a widespread and persistent threat."
Who is affected?
This vulnerability has been used against a broad range of targets, including:
-
Government agencies
-
Financial institutions (especially cryptocurrency platforms)
-
Telecommunications providers
-
Military organizations
-
Energy sector companies
-
Non-Governmental Organizations (NGOs)
Trend Micro confirmed that affected victims have been identified across North America, Europe, Asia, South America, and Australia.
Detection and mitigation
Despite the lack of an official patch from Microsoft, security professionals can take steps to mitigate the risk.
-
Monitor for suspicious .lnk files – Organizations should scan their systems for shortcut files that may contain embedded malicious commands.
-
Restrict execution of unknown shortcuts – Prevent the automatic execution of .lnk files from untrusted sources.
-
Use endpoint detection and response (EDR) solutions – Advanced security tools can detect anomalous behavior linked to shortcut exploitation.
-
Educate employees – End-users should be trained to recognize suspicious files and avoid executing unknown shortcuts.
The need for immediate action
The exploitation of ZDI-CAN-25373 highlights the critical need for vendors like Microsoft to act swiftly on reported vulnerabilities. As attackers continue to refine their techniques, organizations must proactively strengthen their defenses.
"Given the severity and active exploitation of ZDI-CAN-25373, it is imperative for organizations to assess their exposure and strengthen defenses accordingly," Trend Micro advised.
For organizations seeking protection, Trend Micro has implemented security rules and filters designed to detect and block exploitation attempts. However, until an official patch is released, cybersecurity teams must remain vigilant against this ongoing threat.
Follow SecureWorld News for more stories related to cybersecurity.
