This month, Microsoft patched the CVE-2025–21204 vulnerability in Windows that allowed attackers to "execute and/or manipulate file management operations on a victim's machine with NT AUTHORITY\SYSTEM account privileges." To address this issue, the April 2025 update creates a new %systemdrive%\inetpub folder, even on devices not using Internet Information Services (IIS).

However, it turns out this fix has introduced a new vulnerability that can block installation of future Windows security updates. Security researcher Kevin Beaumont reports this new issue.

The problem is that any user can create a symbolic link redirecting the system path c:\inetpub to another object, such as Notepad. As a result, attempts to install the April 2025 update (and likely all subsequent updates) either fail or roll back changes.

mklink /j c:\inetpub c:\windows\system32\notepad.exe

Beaumont notified Microsoft Security Research Center (MSRC) about this issue approximately two weeks ago but hasn't received a response yet.

Source