Microsoft’s recent patch aimed at addressing a critical vulnerability has inadvertently opened the door to new security concerns. The focus of this latest development is an unexpected reappearance of the inetpub folder, typically found at c:inetpub, which was deployed as part of the company’s mitigation strategy for CVE-2025-21204. This flaw, related to elevation of privileges within Windows Process Activation, prompted Microsoft to create the folder as a preventive measure against potential symlink attacks.
However, the reintroduction of this legacy folder has raised eyebrows among system administrators. Many have questioned the effectiveness of this mitigation, as it seemingly does little more than ensure the folder’s existence without addressing the underlying code directly. For security researcher Kevin Beaumont, this situation presented an opportunity to delve deeper into the implications of the workaround.
Uncovering New Vulnerabilities
Upon investigation, Beaumont discovered that the newly created folder introduced its own vulnerability. By utilizing the mklink command with the /j parameter, he was able to exploit the folder’s presence. The mklink command, as outlined in Microsoft’s documentation, is designed to create symbolic or hard links for files and directories. When paired with the /j flag, it creates a directory junction, effectively redirecting filesystem paths.
Beaumont demonstrated this vulnerability by executing the command: mklink /j c:inetpub c:windowssystem32notepad.exe. This action transformed the inetpub folder—originally intended to block symlink abuse—into a redirect to a system executable. Consequently, when Windows Update attempted to access the folder, it encountered an erroneous target, resulting in a failure to update and a rollback of the process.
What makes this situation particularly concerning is that no administrative rights are required to execute this command. On many default-configured systems, even standard users can perform this action, effectively preventing Windows updates without the need for elevated privileges.
This seemingly trivial oversight now places additional burdens on system administrators, who must actively monitor for any tampered junctions until Microsoft addresses the issue. Once again, the scrutiny of Microsoft’s testing processes intensifies, leaving administrators to ponder how such a fundamental denial-of-service vulnerability made its way into production. Historically, symlinks and junctions have been recognized as potential attack vectors, and this incident underscores the need for vigilance in the face of evolving security challenges.
As of now, Beaumont has notified Microsoft of the discovered vulnerability, but the tech giant has yet to issue a response.
