Saturday, November 01, 2025

ZERO-DAYS ‘R US: Two Windows vulnerabilities, one a 0-day, are under active exploitation

HEADS UP:

A critical Windows shortcut vulnerability is enabling advanced persistent threat actors to execute covert malware deployment campaigns against diplomatic and government entities worldwide.

Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say.

Two Windows vulnerabilities, one a 0-day, are under active exploitation

Both vulnerabilities are being exploited in wide-scale operations.

Dan Goodin – Oct 31, 2025 2:03 PM

The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs).

New Windows zero-day exploited by 11 state hacking groups since 2017

https://www.bleepstatic.com/images/news/u/1109292/2025/ZDI-CAN-25373%20attacks%20map.jpg

These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest.

Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common.

A large-scale, coordinated operation
Seven months later, Microsoft still hasn’t patched the vulnerability, which stems from a bug in the Windows Shortcut binary format.

MalwareHunterTeam on X: "About this ZDI-CAN-25373: not sure how they call this "uncovering" when you can find such samples like daily, you could see me tweeting such samples too, without ever mentioning

The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations.

In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491.

On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack.

New UNC6384 Campaign Deploys PlugX via Captive Portal Attacks – Is Your Network Secure?

“The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” --- Arctic Wolf said.

“The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams.”

https://innovatopia.jp/wp-content/uploads/2025/11/%E4%B8%AD%E5%9B%BD%E6%94%BF%E5%BA%9C%E7%B3%BB%E3%83%8F%E3%83%83%E3%82%AB%E3%83%BCZDI-CAN-25373%E8%84%86%E5%BC%B1%E6%80%A7%E3%82%92%E6%B4%BB%E7%94%A8%E3%81%97%E3%81%9F%E5%B7%A7%E5%A6%99%E3%81%AA%E6%94%BB%E6%92%83.jpg

With no patch available, Windows users are left with a limited number of options for fending off attacks. The most effective countermeasure is locking down .lnk functions by blocking or restricting the usage of .lnk files from untrusted origins. This can be done by setting the Windows Explorer to disable the automatic resolution of such files. The severity rating for CVE-2025-9491 is 7 out of 10.

The other Windows vulnerability was patched last week, when Microsoft issued an unscheduled update.

CVE-2025-59287 carries a severity rating of 9.8.
It resides in the Windows Server Update Services, which administrators use to install, patch, or delete apps on vast fleets of servers.
Microsoft previously attempted to patch the potentially wormable remote code execution vulnerability, caused by a serialization flaw, a week earlier in its October Patch Tuesday release.
Publicly released proof-of-concept code quickly proved that the attempted fix was incomplete

> Around the same time that Microsoft released its second fix, security firm Huntress said it had observed the WSUS flaw being exploited starting on October 23. Security firm Eye reported the same finding shortly after.

> Security firm Sophos said Wednesday that it has also observed CVE-2025-59287 being exploited “in multiple customer environments” since October 24.

“The wave of activity, which spanned several hours and targeted internet-facing WSUS servers, impacted customers across a range of industries and did not appear to be targeted attacks,” Sophos said.

“It is unclear if the threat actors behind this activity leveraged the public PoC or developed their own exploit.”

Administrators should investigate immediately if their devices are vulnerable to either of the ongoing attacks.

There’s no indication when Microsoft will release a patch for CVE-2025-9491.