At least 11 state-sponsored hacking groups from North Korea, Iran, Russia, and China have been actively exploiting a critical Windows zero-day vulnerability since 2017. The flaw has been used in sophisticated data theft and cyber espionage campaigns, enabling attackers to gain unauthorized access to sensitive information and compromise systems worldwide. Despite the severity of the vulnerability and the scale of its exploitation, Microsoft has declined to issue a patch, claiming that the flaw “does not meet the bar for servicing.”
Technical Details of the Vulnerability
The vulnerability, tracked internally by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373, was first identified by security researchers Peter Girnus and Aliakbar Zahravi. The flaw is linked to Shell Link (.lnk) files, which Windows uses to create shortcuts. Exploiting this vulnerability allows attackers to execute arbitrary code on the victim’s system, potentially enabling them to install malware, steal sensitive information, and escalate privileges within the network.
“We discovered nearly a thousand Shell Link samples that exploit ZDI-CAN-25373, but the actual number of exploitation attempts is likely far higher,” Girnus and Zahravi stated in their report. They also confirmed that the vulnerability has been actively exploited in the wild for years, with evidence suggesting that multiple nation-state actors have used it in cyber espionage campaigns.
Microsoft’s Response
Despite being presented with detailed proof-of-concept exploits through Trend Micro’s bug bounty program, Microsoft decided not to release a security patch. The company categorized the flaw as not severe enough to warrant a fix under its current servicing criteria.
“Microsoft tagged it as ‘not meeting the bar for servicing’ in late September and said it wouldn’t release security updates to address it,” the researchers reported. This decision has drawn criticism from the cybersecurity community, as the flaw remains a viable attack vector for state-sponsored actors.
Potential Impact and Threat Landscape
The fact that the vulnerability allows remote code execution makes it highly dangerous, especially when used by advanced persistent threat (APT) groups with nation-state backing. Cybersecurity experts warn that this flaw could be leveraged for a wide range of attacks, including intellectual property theft, infrastructure sabotage, and infiltration of government networks.
The exploitation of ZDI-CAN-25373 highlights the persistent threat posed by zero-day vulnerabilities, particularly when state-sponsored actors are involved. Without a patch from Microsoft, organizations running Windows systems remain exposed to potential attacks, making it essential for security teams to implement compensating controls and enhance monitoring for suspicious activity.
No CVE Assignment Yet
Microsoft has yet to assign a CVE-ID to ZDI-CAN-25373, leaving security researchers and system administrators without an official reference point for tracking and mitigating the issue. In the absence of a patch, Trend Micro recommends that organizations tighten security controls around Shell Link files and increase endpoint monitoring to detect signs of exploitation.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
