In early April 2025, Microsoft took significant steps to address a critical security vulnerability identified as CVE-2025-21204. This flaw allowed malicious actors to exploit symbolic links (symlinks) within the Windows servicing stack, specifically targeting the c:inetpub directory, a default folder utilized by Internet Information Services (IIS). By manipulating misconfigured permissions, attackers could create symlinks that granted them system-level access.
To mitigate this risk, Microsoft’s updates preemptively created the c:inetpub folder across all systems, ensuring that appropriate permissions were in place. However, this well-intentioned fix has inadvertently led to a new challenge.
The New Flaw: How It Works
Security researcher Kevin Beaumont uncovered that the patch inadvertently introduced a denial-of-service (DoS) vulnerability within the Windows servicing stack. This new flaw allows non-administrative users to create junction points—a specific type of symlink—on the c: drive, thereby disrupting the Windows Update mechanism.
A straightforward command, executable by any non-admin user through Command Prompt, illustrates the exploit:
mklink /j c:inetpub c:windowssystem32notepad.exeThis command links the c:inetpub directory to a non-directory file, such as notepad.exe. Once this junction is established, the Windows servicing stack is unable to process updates, leading to installation errors or rollbacks. Consequently, systems affected by this issue cannot receive future security patches unless the malicious junction is manually removed.
Implications for Organizations
- Permanent Update Block: Systems compromised by the malicious symlink will remain unpatched indefinitely, leaving them vulnerable to known exploits.
- Low Barrier to Exploit: Attackers or malicious insiders require only basic user access to trigger this flaw.
- No Official Fix Yet: Despite Beaumont reporting the issue to the Microsoft Security Response Center (MSRC) two weeks ago, Microsoft has not publicly acknowledged the problem.
Microsoft’s Silence and Mitigation Steps
As of April 25, Microsoft has yet to release a patch or advisory regarding this vulnerability. Beaumont has criticized the company for its lack of communication, emphasizing that this flaw undermines the original intent of the patch.
- Monitor and restrict user permissions to create symlinks in
c:. - Utilize endpoint detection tools to identify unauthorized junction points.
- Manually remove suspicious symlinks in
c:inetpubprior to installing updates.
This incident serves as a reminder of the risks associated with hastily implemented patches in complex systems like Windows. The ongoing challenges related to symlink vulnerabilities highlight the necessity for thorough testing of security fixes. For the time being, organizations must exercise vigilance, as the very updates intended to safeguard their systems may inadvertently leave them exposed to critical risks.
