Saturday, May 31, 2025
HomeCyber Security NewsMicrosoft's Patch for Symlink Vulnerability Introduces New Windows Denial-of-Service Flaw

Microsoft’s Patch for Symlink Vulnerability Introduces New Windows Denial-of-Service Flaw

Published on

SIEM as a Service

Follow Us on Google News

Microsoft’s recent attempt to resolve a critical privilege escalation vulnerability has inadvertently introduced a new denial-of-service (DoS) flaw in Windows systems, leaving organizations vulnerable to update failures and potential security risks.

In early April 2025, Microsoft addressed CVE-2025-21204, a security flaw that allowed attackers to abuse symbolic links (symlinks) to elevate privileges via the Windows servicing stack.

The vulnerability centered on the c:\inetpub directory, a default folder for Internet Information Services (IIS). Attackers could exploit misconfigured permissions to create symlinks and gain system-level access.

- Advertisement - Google News

To resolve this, Microsoft’s April 2025 Windows updates precreated the c:\inetpub folder on all systems, ensuring proper permissions. However, this fix has backfired spectacularly.

The New Flaw: How It Works

Security researcher Kevin Beaumont discovered that Microsoft’s patch introduced a denial-of-service vulnerability in the Windows servicing stack.

Non-administrative users can now create junction points (a type of symlink) within the c:\ drive, disrupting the Windows Update mechanism.

Non-admin (and admin) users can create junction points in c:\
Non-admin (and admin) users can create junction points in c:\

A simple command—executable by any non-admin user via Command Prompt—illustrates the exploit:

mklink /j c:\inetpub c:\windows\system32\notepad.exe 

This links c:\inetpub to a non-directory file (notepad.exe). Once this junction is created, the Windows servicing stack fails to process updates, causing installations to error out or roll back.

Affected systems cannot install future security patches unless the malicious junction is manually removed.

Implications for Organizations

  • Permanent Update Block: Systems with the malicious symlink will remain unpatched indefinitely, exposing them to known exploits.
  • Low Barrier to Exploit: Attackers or malicious insiders need only basic user access to trigger the flaw.
  • No Official Fix Yet: Microsoft has not acknowledged the issue publicly, despite Beaumont reporting it to the Microsoft Security Response Center (MSRC) two weeks ago.

Microsoft’s Silence and Mitigation Steps

As of April 25, Microsoft has not issued a patch or advisory. Beaumont criticized the lack of communication, noting that the flaw undermines the purpose of the original patch.

  1. Monitor and restrict user permissions to create symlinks in c:\.
  2. Use endpoint detection tools to flag unauthorized junction points.
  3. Manually delete suspicious symlinks in c:\inetpub before installing updates.

This incident highlights the risks of rushed patches in complex systems like Windows.

Symlink-related vulnerabilities have plagued Microsoft for years, and this misstep reinforces the need for rigorous testing of security fixes.

For now, organizations must remain vigilant—ironically, the same updates designed to protect systems could leave them stranded without critical protections.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...