Microsoft’s recent attempt to resolve a critical privilege escalation vulnerability has inadvertently introduced a new denial-of-service (DoS) flaw in Windows systems, leaving organizations vulnerable to update failures and potential security risks.
In early April 2025, Microsoft addressed CVE-2025-21204, a security flaw that allowed attackers to abuse symbolic links (symlinks) to elevate privileges via the Windows servicing stack.
The vulnerability centered on the c:\inetpub directory, a default folder for Internet Information Services (IIS). Attackers could exploit misconfigured permissions to create symlinks and gain system-level access.
To resolve this, Microsoft’s April 2025 Windows updates precreated the c:\inetpub folder on all systems, ensuring proper permissions. However, this fix has backfired spectacularly.
Security researcher Kevin Beaumont discovered that Microsoft’s patch introduced a denial-of-service vulnerability in the Windows servicing stack.
Non-administrative users can now create junction points (a type of symlink) within the c:\ drive, disrupting the Windows Update mechanism.
A simple command—executable by any non-admin user via Command Prompt—illustrates the exploit:
mklink /j c:\inetpub c:\windows\system32\notepad.exe
This links c:\inetpub to a non-directory file (notepad.exe). Once this junction is created, the Windows servicing stack fails to process updates, causing installations to error out or roll back.
Affected systems cannot install future security patches unless the malicious junction is manually removed.
Implications for Organizations
Microsoft’s Silence and Mitigation Steps
As of April 25, Microsoft has not issued a patch or advisory. Beaumont criticized the lack of communication, noting that the flaw undermines the purpose of the original patch.
This incident highlights the risks of rushed patches in complex systems like Windows.
Symlink-related vulnerabilities have plagued Microsoft for years, and this misstep reinforces the need for rigorous testing of security fixes.
For now, organizations must remain vigilant—ironically, the same updates designed to protect systems could leave them stranded without critical protections.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…
Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…
The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…
The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…
IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…
Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…