Two Windows vulnerabilities—one a zero-day that security researchers say has been exploited since 2017, and another critical flaw that Microsoft recently attempted to patch but has not yet fully fixed—are under active exploitation in broad, internet-spanning campaigns, according to researchers.
The zero-day, tracked as ZDI-CAN-25373 and now CVE-2025-9491, remained undiscovered until March when Trend Micro disclosed its long-running exploitation by as many as 11 advanced persistent threat groups. These actors, often linked to nation-states, used the vulnerability to deploy a range of post-exploitation payloads across infrastructure in roughly 60 countries, with the United States, Canada, Russia, and Korea among the most affected.
Microsoft has not yet patched CVE-2025-9491 seven months after it was disclosed. The flaw originates in the Windows Shortcut binary format, a component designed to streamline opening apps or files by allowing a single shortcut to invoke them without navigating the file system.
In another track of activity, Arctic Wolf reported a China-aligned threat group, UNC-6384, abusing CVE-2025-9491 in attacks across several European nations. The final payload in these attacks is the PlugX remote access trojan, with the binary kept encrypted in RC4 until the attack’s final stage to evade detection.
Separately, the second critical vulnerability, CVE-2025-59287, existed in Windows Server Update Services (WSUS). Publicly disclosed after Microsoft’s initial patch attempt proved incomplete, it has been observed being exploited in multiple environments since late October, according to researchers from Sophos and Huntress.
Industry researchers warn that the scale and consistency across disparate targets indicate coordinated tooling and multiple teams operating under shared frameworks. Administrators are advised to apply available updates, harden WSUS configurations, and consider restricting the automatic resolution of .lnk shortcuts to mitigate similar attack chains.
