What Is Windows Shell LNK Processing?
Windows Shell .lnk (shortcut) files are used throughout Windows for desktop shortcuts, Start menu entries, and taskbar pinned items. When Windows Explorer displays a folder containing an LNK file, the Shell automatically reads the LNK file to display its icon — and this icon loading can trigger loading of DLLs or executing code specified in the LNK file. CVE-2017-8464 is the spiritual successor to CVE-2010-2568 (the original Stuxnet LNK vulnerability) — a similar pattern where icon display causes code execution, exploitable by placing a malicious LNK file on a USB drive or network share.
Overview
CVE-2017-8464 is a remote code execution vulnerability in Windows Shell. When Windows Explorer or a program that uses the Shell API displays a folder containing a maliciously crafted .lnk file, arbitrary code specified in the LNK file executes with the privileges of the browsing user. The attack does not require the user to click the LNK — merely browsing to a folder containing it (via file manager, USB auto-browse, or mapped network drive) triggers execution. Fixed in the June 2017 Patch Tuesday security update. CISA added CVE-2017-8464 to the KEV catalog in February 2022.
Affected Versions
Multiple Windows versions — see Microsoft Security Advisory for CVE-2017-8464 for specific affected OS versions. Includes Windows Vista through Windows 10 and Windows Server 2008 through 2016.
Technical Details
Root Cause: Improper Input Validation in LNK Icon Loading
CVE-2017-8464 is an improper input validation vulnerability (CWE-20) in the Windows Shell LNK file parsing code. When Shell processes an LNK file to display its icon, it reads properties from the LNK structure including a path to a CPL (Control Panel) file or a DLL to use as the icon source. By crafting an LNK file that specifies a malicious DLL as its icon source, an attacker causes the Shell to load and execute code from that DLL when any Explorer window displays the LNK file.
Attack vectors:
- USB drive: Place malicious LNK on USB; inserting the drive and having Windows auto-browse (or victim browsing manually) triggers execution
- Network share: Place malicious LNK on a file share; victim browsing the share triggers execution
- Email/downloads: LNK file delivered as attachment or downloaded; opening the containing folder triggers execution
- WebDAV: Host malicious LNK on a WebDAV server; victim browsing the share triggers execution
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — LNK on network share or USB |
| User Interaction | Required — browse to folder containing LNK |
| Execution | Immediate — no user click on LNK required |
| Historical parallel | CVE-2010-2568 (Stuxnet LNK vulnerability) |
Discovery
Patched in June 2017 Patch Tuesday; vulnerability pattern parallels CVE-2010-2568 (Stuxnet). The persistent exploitation of LNK vulnerabilities reflects their effectiveness as a delivery mechanism.
Exploitation Context
- Stuxnet heritage: The LNK-based code execution pattern was first weaponized by Stuxnet (CVE-2010-2568) against Iranian nuclear facilities via USB drives; CVE-2017-8464 represents a recurrence of the same class — validating the ongoing relevance of LNK exploitation
- USB-based malware delivery: Nation-state actors and cybercriminals use USB-based LNK exploits for air-gapped network infiltration — targeting facilities that restrict internet access but permit USB use; CVE-2017-8464 was used in malware campaigns targeting industrial and government facilities
- Spear phishing with network share access: Sending victims links to network shares containing malicious LNK files is a common spear phishing technique that achieves execution without requiring macro approval or email attachment opening
- CISA KEV (2022): Added February 10, 2022 reflecting confirmed exploitation in targeted attacks
Remediation
-
Apply June 2017 Windows security updates — install the Microsoft security update for CVE-2017-8464 from the June 2017 Patch Tuesday or any subsequent cumulative update; modern Windows 10/11 systems with automatic updates enabled should already be patched.
-
Disable Windows Search indexing of network shares — as a defense-in-depth measure, restricting Shell interaction with untrusted network locations reduces LNK-based attack surface.
-
Enforce USB device policies — use Group Policy or endpoint protection tools to restrict USB mass storage devices to known/authorized devices; this limits the USB delivery vector for LNK exploits.
-
Deploy AppLocker or WDAC rules — Windows Defender Application Control (WDAC) and AppLocker can restrict which DLLs and executables are allowed to run; this limits the payload a LNK exploit can deliver.
-
Monitor for unusual DLL load events — alert on DLL loads from removable media paths, network shares, or temp directories, which may indicate LNK exploit execution.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-8464 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2017-06-15 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-20 — Improper Input Validation find similar ↗ |
| CISA KEV Added | 2022-02-10 |
| CISA KEV Deadline | 2022-08-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2017-06-13 | Microsoft releases June 2017 Patch Tuesday security updates patching CVE-2017-8464 |
| 2017-06-15 | CVE-2017-8464 published by NVD |
| 2022-02-10 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-08-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-8464 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Response Center — CVE-2017-8464 | Vendor Advisory |