Micropatches released for Windows Shell Link Processing Spoofing Vulnerability (CVE-2026-25185)

Micropatches released for Windows Shell Link Processing Spoofing Vulnerability (CVE-2026-25185)

SecurityVulns
Yanac

 March 2026 Windows Updates brought a patch for CVE-2026-25185,
a flaw in Windows Explorer’s processing of .LNK files that allowed an attacker to force user’s computer to authenticate to a malicious server when the user viewed a shared folder.The
vulnerability was found by TrustedSec researcher Christopher Paschen, who also wrote a detailed article and shared a proof-of-concept, which allowed us to reproduce the
issue and create patches for legacy Windows users. The Vulnerability Quoting Christopher: “In short, if you have a .lnk with a populated Darwin ExtraData block, and a populated icon environment data block, the system will attempt to open the path pointed to by the icon environment data block. This causes the system to authenticate out to the target, allowing for relay and various credential attacks.” Microsoft’s PatchMicrosoft fixed this by adding two IsTrustedZonePath calls before both PathFileExistsW calls in CShellLink::_UpdateIconFromExpIconSz. These are basically just MapUrlToZone checks with some extra checks in case this function fails. If the path is declared to be Local, Intranet, or Trusted, PathFileExistsW is called, but if the path is Internet or Restricted, the call is skipped. Our PatchOur patch is logically identical to Microsoft’s. Micropatch AvailabilityMicropatches were written for the following security-adopted Windows versions:Windows 11 v22H2 – fully updatedWindows 11 v21H2 – fully updatedWindows 10 v22H2 – fully updatedWindows 10 v21H1 – fully updatedWindows 10 v20H2 – fully updatedWindows 10 v2004 – fully updatedWindows 10 v1909 – fully updatedWindows 10 v1809 – fully updatedWindows 10 v1803 – fully updatedWindows 7 – fully updated with no ESU, ESU 1, ESU 2 or ESU 3Windows Server 2008 R2 – fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4Windows Server 2012 – fully updated with no ESU or ESU 1Windows Server 2012 R2 – fully updated with no ESU or ESU 1 Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things. We’d like to thank TrustedSec researcher Christopher Paschen for sharing the details and their proof-of-concept, which allowed us to create a patch for Windows users who are no longer receiving official Windows patches.If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 
To learn more about 0patch, please visit our Help Center.  0patch BlogRead More