Here is a summary of the issue described in the article from The Register:
In April 2025, Microsoft quietly reintroduced the c:\inetpub folder to Windows systems as a mitigation for CVE-2025-21204, an elevation-of-privileges flaw within Windows Process Activation. Instead of patching the code, Microsoft simply made sure that c:\inetpub existed to block a symlink attack. However, security researcher Kevin Beaumont found that this approach introduced a new vulnerability.
He discovered that anyone, including standard (non-admin) users, could use the mklink command with the /j flag to turn c:\inetpub into a directory junction (a kind of filesystem redirect). For example, the command:
mklink /j c:\inetpub c:\windows\system32\notepad.exewould redirect the folder to a system executable. When Windows Update tries to interact with c:\inetpub, it hits the wrong target, errors out, and rolls back—leaving the system without security updates. Importantly, this does not require admin rights—standard users can do this on many default-configured systems, causing a denial of service on Windows Updates without escalating privileges.
Sysadmins are now forced to check for tampered directory junctions until Microsoft addresses the issue with a better fix. Microsoft has been notified but as of the article publication, there's been no official response.
In summary:
A recent Microsoft patch to block a vulnerability was itself vulnerable to a simple but effective attack, allowing standard users to disrupt Windows Updates using directory junctions.
Reference:
Read the original article here: The Register: Microsoft mystery folder fix might need a fix of its own
Source: Microsoft mystery folder fix might need a fix of its own
Last edited:
