Micropatches released for Windows Shell Link Processing Spoofing Vulnerability (CVE-2026-25185)

 

March 2026 Windows Updates brought a patch for CVE-2026-25185, a flaw in Windows Explorer's processing of .LNK files that allowed an attacker to force user's computer to authenticate to a malicious server when the user viewed a shared folder.

The vulnerability was found by TrustedSec researcher Christopher Paschen, who also wrote a detailed article and shared a proof-of-concept, which allowed us to reproduce the issue and create patches for legacy Windows users.

 

The Vulnerability 

Quoting Christopher: "In short, if you have a .lnk with a populated Darwin ExtraData block, and a populated icon environment data block, the system will attempt to open the path pointed to by the icon environment data block. This causes the system to authenticate out to the target, allowing for relay and various credential attacks."

 

Microsoft's Patch

Microsoft fixed this by adding two IsTrustedZonePath calls before both PathFileExistsW calls in CShellLink::_UpdateIconFromExpIconSz. These are basically just MapUrlToZone checks with some extra checks in case this function fails. If the path is declared to be Local, Intranet, or Trusted, PathFileExistsW is called, but if the path is Internet or Restricted, the call is skipped.

 

Our Patch

Our patch is logically identical to Microsoft's.

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
12. Windows Server 2012 - fully updated with no ESU or ESU 1
13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank TrustedSec researcher Christopher Paschen for sharing the details and their proof-of-concept, which allowed us to create a patch for Windows users who are no longer receiving official Windows patches.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.