mklink command Archives

Winsage

September 8, 2025

Windows Defender Vulnerability Allows Service Hijacking and Disablement via Symbolic Link Attack

A vulnerability in the Windows Defender update process allows users with administrator privileges to disable the security service and manipulate its files. This flaw enables attackers to create a symbolic link (symlink) with a higher version number that redirects the Defender service to a folder they control. The attacker can then execute malicious actions, such as introducing harmful code or deleting executable files, effectively disabling the service and exposing the system to threats.

Winsage

April 24, 2025

Microsoft mystery folder fix might need a fix of its own

Microsoft's recent patch for CVE-2025-21204 inadvertently reintroduced the inetpub folder at c:inetpub as part of its mitigation strategy, raising concerns among system administrators. Security researcher Kevin Beaumont discovered that this folder created a new vulnerability when he used the mklink command with the /j parameter to redirect the folder to a system executable (notepad.exe). This allowed standard users to prevent Windows updates without administrative rights, as the command could be executed on default-configured systems. Beaumont has notified Microsoft of this vulnerability, but the company has not yet responded.