Two Windows vulnerabilities are being actively exploited by hackers, including attacks on Belgian diplomatic services.
Attackers are actively exploiting two bugs in Windows. The first bug is a zero-day vulnerability that came to light in March, but still lacks a proper patch. The issue was labeled CVE-2025-9491, with a CVSS score of 7.8. The bug is based on a Windows shortcut problem that can be exploited, and hackers had known about it for years while staying under the radar.
Malicious Shortcut
The attack begins with a targeted phishing email. Eventually, the hacker tries to convince a target to download and open LNK files. Through these seemingly innocent shortcuts, they can then execute PowerShell commands to ultimately install a backdoor.
According to security researchers at Arctic Wolf Labs, there is currently an ongoing espionage campaign by a hacker collective linked to China. Diplomatic entities are the target. Among others, Belgium is being targeted according to the researchers, along with Hungary and several other countries. The campaign has been running since September.
It’s notable that Microsoft hasn’t rolled out a patch for the problem yet. An attack always requires human intervention: at some point, the hacker must convince someone to open an infected LNK file. Administrators can restrict access to such files from external sources.
Awareness can also help here. It’s never a good idea to open files from an untrusted source. The fact that an apparently innocent shortcut can also be malicious deserves extra emphasis.
Bug in WSUS
Unfortunately, the above bug isn’t the only one being exploited. Another issue is CVE-2025-59287, with a score of 9.8. This bug is in Windows Server Update Services (WSUS), which administrators use to install or update software on servers. Through this backdoor, attackers can execute code across the network and make their way into corporate systems.
This problem has also caught hackers’ attention. Several security companies including Sophos and Huntress report active exploitation among clients. Microsoft tried to patch the bug in October, but without success. A second exceptional out of band patch does provide relief.
Administrators should install this update as soon as possible. There is no real workaround. Those who cannot install the patch must disable WSUS on servers. Those servers will then no longer receive updates, so this isn’t a long-term solution. Blocking incoming traffic on ports 8530 and 8531 on the host firewall also helps, and effectively has the same result. It disables WSUS.
Microsoft emphasizes that the workaround must not be reversed until the patch is installed.
Support
These two bugs again illustrate the importance of updates. Now that Windows 10 is no longer supported, that OS won’t receive any more updates. Bugs and vulnerabilities like those described above appear regularly. The longer an OS goes without updates, the more holes in the defense remain unpatched and the greater the chance of problems.
Do you still have a Windows 10 system in use? Let us know in our poll, and definitely consider (free) ESU updates.