Microsoft patched a vulnerability in Windows, but created a new vulnerability along with it

Microsoft patched a vulnerability in Windows, but created a new vulnerability along with it

Windows 11/Windows 10

This month, Microsoft patched the CVE-2025–21204 vulnerability in Windows that allowed attackers to "execute and/or manipulate file management operations on a victim's machine with NT AUTHORITY\SYSTEM account privileges." To address this issue, the April 2025 update creates a new %systemdrive%\inetpub folder, even on devices not using Internet Information Services (IIS).

However, it turns out this fix has introduced a new vulnerability that can block installation of future Windows security updates. Security researcher Kevin Beaumont reports this new issue.

The problem is that any user can create a symbolic link redirecting the system path c:\inetpub to another object, such as Notepad. As a result, attempts to install the April 2025 update (and likely all subsequent updates) either fail or roll back changes.

mklink /j c:\inetpub c:\windows\system32\notepad.exe

Beaumont notified Microsoft Security Research Center (MSRC) about this issue approximately two weeks ago but hasn't received a response yet.

Source

No comments.

Do you like the name Windows 11?
Social media
Loading...

Did you find a mistake?
You can report it to the administration.
Press CTRL+Enter while highlighting text