Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers

Since 2017, at least 11 state-sponsored hacking groups from North Korea, Iran, Russia, and China have been exploiting a Windows zero-day vulnerability, tracked as ZDI-CAN-25373, in cyber espionage and data theft campaigns. This flaw allows attackers to execute arbitrary code on affected Windows systems by leveraging malicious Shell Link (.lnk) files, making it a valuable tool for state-backed cyber operations.

The core issue with ZDI-CAN-25373 lies in how Windows handles .lnk files. These files, commonly used for shortcuts, can be crafted with embedded commands or payloads that execute when the file is previewed or opened. Because Windows Explorer automatically processes icon metadata for these files, simply viewing a folder containing a malicious .lnk file could silently trigger the exploit.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Threat actors have been exploiting ZDI-CAN-25373 by crafting malicious .lnk files that, when accessed by a user, automatically trigger the execution of arbitrary code without requiring additional interaction. Security researchers have identified nearly one thousand malicious .lnk samples exploiting ZDI-CAN-25373, indicating it's a widely used technique.

Despite its exploitation over the years, Microsoft initially stated that the flaw "does not meet the bar for servicing" and had no immediate plans to release a security update to address it. However, following public disclosure and concern over its widespread use, Microsoft provided an update stating that, while they believe adequate security controls are already in place, they will re-evaluate the situation and consider releasing a patch if necessary.

Source: Bleeping Computer

Analysis

Microsoft’s reluctance to assign a CVE designation to, and patch, this long-exploited zero-day vulnerability may stem from several factors.

As stated, Microsoft believes its existing security controls, such as Windows Defender and Attack Surface Reduction (ASR) rules, already provide sufficient protection. This likely contributed to the flaw not meeting Microsoft’s standard for servicing, especially if they assume that exploitation is not widespread enough.

Another consideration could be backward compatibility, as modifying the manner in which Windows handles .lnk files might disrupt legacy systems or enterprise environments that rely on them.

The complexity of issuing a patch may also play a role, as fixing the flaw could introduce new bugs or stability issues. Additionally, given that the exploit has primarily been used by nation-state hacking groups, Microsoft may be weighing geopolitical or strategic factors before deciding to take action.

Lastly, resource allocation could be a factor—Microsoft handles thousands of security vulnerabilities a year and may prioritize those with broader or more immediate risks, such as the six actively exploited zero-day vulnerabilities it addressed during its March 2025 ‘Patch Tuesday’ event.

However, following public scrutiny, the company has stated that it will re-evaluate and consider releasing a patch, indicating that security concerns and community pressure may influence the final decision.

Mitigation

Field Effect’s team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in Microsoft products. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users are automatically notified if a vulnerable version of Windows was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

To protect against ZDI-CAN-25373, Field Effect recommends that organizations and users consider implementing the following measures:

• Restrict the use of .lnk files from untrusted sources by disabling automatic processing of shortcut files in Windows Explorer.
• Enforce Attack Surface Reduction (ASR) rules in Microsoft Defender to block potentially malicious behaviors.
• Deploy an application allowlist solution, such as Microsoft Defender Application Control (MDAC) or AppLocker, to prevent unauthorized execution of scripts or unknown processes triggered by malicious .lnk files.
• Ensure that email security filters block or flag suspicious attachments and links, as phishing remains a primary delivery method for such exploits. Field Effect users are encouraged to submit any suspicious emails to our Suspicious Email Analysis Service (SEAS) for analysis.
• Regularly update software and apply security patches for all applications.
• Provide user education and security awareness training that teaches user to be cautious when handling unexpected attachments, removable media (like USB drives), or downloads from unverified sources, as these remain common delivery mechanisms for malware exploiting vulnerabilities like ZDI-CAN-25373.

Related Articles

• Microsoft Patch Tuesday addresses six actively exploited zero-days
• Microsoft fixes 63 vulnerabilities on Patch Tuesday, including two that were actively exploited
• Microsoft improves transparency, addresses critical vulnerabilities