ZERO-DAYS ‘R US

Both vulnerabilities are being exploited in widescale operations.

Credit: Getty Images

Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say.

The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs). These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest. Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common.

A large-scale, coordinated operation

Seven months later, Microsoft still hasn’t patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491.

On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack.

“The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf said. “The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams.”

With no patch available, Windows users are left with a limited number of options for fending off attacks. The most effective countermeasure is locking down .lnk functions by blocking or restricting the usage of .lnk files from untrusted origins. This can be done by setting the Windows Explorer to disable the automatic resolution of such files. The severity rating for CVE-2025-9491 is 7 out of 10.

The other Windows vulnerability was patched last week, when Microsoft issued an unscheduled update. CVE-2025-59287 carries a severity rating of 9.8. It resides in the Windows Server Update Services, which administrators use to install, patch, or delete apps on vast fleets of servers. Microsoft previously attempted to patch the potentially wormable remote code execution vulnerability, caused by a serialization flaw, a week earlier in its October Patch Tuesday release. Publicly released proof-of-concept code quickly proved that the attempted fix was incomplete

Around the same time that Microsoft released its second fix, security firm Huntress said it had observed the WSUS flaw being exploited starting on October 23. Security firm Eye reported the same finding shortly after.

Security firm Sophos said Wednesday that it has also observed CVE-2025-59287 being exploited “in multiple customer environments” since October 24.

“The wave of activity, which spanned several hours and targeted internet-facing WSUS servers, impacted customers across a range of industries and did not appear to be targeted attacks,” Sophos said. “It is unclear if the threat actors behind this activity leveraged the public PoC or developed their own exploit.”

Administrators should investigate immediately if their devices are vulnerable to either of the ongoing attacks. There’s no indication when Microsoft will release a patch for CVE-2025-9491.

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.