Microsoft has still not fixed the Windows vulnerability discovered back in 2017. This was pointed out by ArsTechnica.
This concerns a zero-day vulnerability identified as ZDI-CAN-25373, later changed to CVE-2025-9491. The old issue was ignored until March 2025, when Trend Micro specialists reported it. They noted that hackers have been aware of the system flaw for at least since 2017, meaning Microsoft has been unable to fix the vulnerability for eight years.
CVE-2025-9491 is related to a component of the operating system (OS) that speeds up application opening and simplifies file access. Moreover, the vulnerability is actively exploited: recently, security experts at Arctic Wolf discovered that hackers, presumably based in China, are using the issue.
According to experts, although Microsoft has not yet resolved the vulnerability, it can be mitigated. To do this, users should limit the use of .lnk files downloaded from unknown sources through settings.
In conclusion, ArsTechnica journalists noted that the vulnerability is being used to attack various infrastructure targets. Among the affected are organizations from the USA, Canada, Russia, South Korea, and about 60 other countries.
At the end of October, a bug was fixed in Windows that prevented the OS from shutting down the personal computer after an update.
