Two Windows vulnerabilities, one a 0-day, are under active exploitation

Recent reports have unveiled two significant vulnerabilities within the Windows operating system, one of which is a zero-day exploit that has been actively targeted since 2017. This alarming information comes from cybersecurity experts who have identified a surge in attacks leveraging these weaknesses across a vast segment of the Internet. The zero-day exploit remained undetected until March, when Trend Micro disclosed that it had been actively exploited for several years by at least 11 different advanced persistent threat (APT) groups. These groups, often linked to nation-state actors, focus their efforts on compromising specific individuals or organizations of strategic interest. The vulnerability, initially labeled as ZDI-CAN-25373, has allowed attackers to deploy various post-exploitation tools on systems in nearly 60 countries, with the United States, Canada, Russia, and South Korea being among the most frequently targeted. Despite the ongoing exploitation, Microsoft has yet to release a patch for this vulnerability, which originates from a flaw in the Windows Shortcut binary format. This component facilitates the quick launching of applications and access to files by allowing a single binary file to execute them directly. Recently, the tracking designation for this vulnerability was updated to CVE-2025-9491. In a related development, Arctic Wolf, a cybersecurity firm, reported that a China-aligned APT known as UNC-6384 has been exploiting CVE-2025-9491 in attacks directed at various European countries. The final payload of these attacks is a well-known remote access trojan named PlugX. In a sophisticated move, the exploit keeps the binary file encrypted in the RC4 format until the final stage of the attack, enhancing the stealth of the malware. Arctic Wolf noted that the extensive targeting of multiple European nations within a short period indicates either a large-scale intelligence gathering operation or the deployment of numerous independent operational teams utilizing shared tools. The consistent tactics employed across diverse targets suggest a centralized approach to tool development and operational security protocols, even as execution is carried out by various teams.