Microsoft recently patched CVE-2025–21204, a vuln which allows users to abuse symlinks to elevate privileges using the Windows servicing stack and the c:\inetpub folder. There’s a good write up here:
Abusing the Windows Update Stack to Gain SYSTEM Access (CVE-2025-21204)
To fix this, Microsoft precreates the c:\inetpub folder on all Windows systems from April 2025’s Windows OS updates onwards.
However, I’ve discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates.
How
Non-admin (and admin) users can create junction points in c:\
So a non-admin user can just do Windows+R, cmd, and then run:
mklink /j c:\inetpub c:\windows\system32\notepad.exe
This creates a symlink between c:\inetpub and notepad. After that point, April 2025 Windows OS update (and future updates, unless Microsoft fix it) fail to ever install — they error out and/or roll back. So you just go without security updates.
I reported this to MSRC about two weeks ago, but haven’t had a response.
Microsoft’s patch for CVE-2025–21204 symlink vulnerability introduces another symlink vulnerability was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.