Researchers have identified two Windows vulnerabilities currently under widespread exploitation, including a zero-day flaw known to attackers since 2017. Microsoft has yet to patch the zero-day, while the second critical issue received an emergency fix after an initial incomplete patch. These attacks target users across multiple countries and involve advanced persistent threats.
The first vulnerability, tracked as CVE-2025-9491, is a zero-day in the Windows Shortcut binary format that has been exploited since 2017. Security firm Trend Micro discovered it in March, noting exploitation by up to 11 advanced persistent threat (APT) groups in nearly 60 countries, with the US, Canada, Russia, and Korea most affected. These APTs, often linked to nation-states, used the flaw—initially designated ZDI-CAN-25373—to deploy various post-exploitation payloads. Seven months later, Microsoft has not issued a patch.
On Thursday, Arctic Wolf reported exploitation by the China-aligned group UNC-6384 against targets in various European nations. The attacks deliver the PlugX remote access trojan, keeping the binary encrypted in RC4 format until the final stage. Arctic Wolf stated: “The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting.” The flaw's severity is rated 7 out of 10, and users can mitigate risks by restricting .lnk files from untrusted sources via Windows Explorer settings.
The second vulnerability, CVE-2025-59287, affects Windows Server Update Services (WSUS) and enables remote code execution due to a serialization flaw. Rated 9.8 in severity and potentially wormable, it was first addressed in Microsoft's October Patch Tuesday but proved incomplete after public proof-of-concept code emerged. An unscheduled update last week provided a proper fix. Huntress observed exploitation starting October 23, while Sophos and Eye reported activity from October 24 in multiple customer environments across industries. Sophos noted: “The wave of activity, which spanned several hours and targeted internet-facing WSUS servers, impacted customers across a range of industries and did not appear to be targeted attacks.” It remains unclear if attackers used the public proof-of-concept or developed their own exploits.
Administrators are urged to check for vulnerabilities and apply patches where available, though no timeline exists for CVE-2025-9491.