Analytics Story: ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
Description
This story addresses a critical Windows shortcut zero-day vulnerability (ZDI-CAN-25373) that has been actively exploited in widespread APT campaigns. The vulnerability allows attackers to execute malicious code through specially crafted LNK files, which can be delivered via both HTTP and SMB protocols. This exploit has been observed being used by multiple threat actors in targeted attacks.
Why it matters
The Windows shortcut zero-day vulnerability (ZDI-CAN-25373) represents a significant security threat that has been actively exploited in the wild. The exploit involves specially crafted LNK files that contain padded content designed to trigger code execution. These malicious shortcuts can be delivered through both HTTP and SMB protocols, making them particularly versatile for attackers. Multiple APT groups, including Water Glashtyn, Earth Iktomi, Water Poukai, and others, have been observed leveraging this vulnerability in their campaigns. The attack typically involves suspicious cmd.exe, ssh.exe or powershell.exe execution from LNK files, which can be detected through specific process execution patterns. This vulnerability poses a serious risk to Windows systems and requires immediate attention for detection and mitigation.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 1 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.zerodayinitiative.com/advisories/ZDI-25-373/
- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
Source: GitHub | Version: 1