Microsoft’s Symlink Patch Created New Windows DoS Vulnerability

A recent Microsoft security update, intended to patch a critical privilege escalation vulnerability, has inadvertently introduced a new and significant flaw. 

The fix now enables non-administrative users to effectively block all future Windows security updates, creating a denial-of-service condition. 

This unintended consequence of the patch highlights the complexities of software security and the persistent challenge of preventing unforeseen vulnerabilities.

Symlink vulnerability and Microsoft’s Fix

In April 2025, Microsoft released security updates to address CVE-2025-21204, a vulnerability rated as “Important” with a CVSS 3.1 score of 7.8. 

The flaw involved improper link resolution before file access (‘link following’) in the Windows Update Stack that allowed an authorized attacker to escalate privileges locally.

To mitigate this vulnerability, Microsoft implemented a fix that automatically creates a folder named “inetpub” on the system drive of all Windows systems, regardless of whether Internet Information Services (IIS) is installed. 

Microsoft explicitly warned users not to delete this folder, as it’s an integral part of the security enhancement.

The New DoS Vulnerability

Security researcher Kevin Beaumont has discovered that this fix introduces a denial of service vulnerability that allows non-administrator users to block Windows security updates permanently. 

Beaumont found that through a simple command line operation, users can create a junction point (a type of file system redirection in Windows) that breaks the update mechanism.

“Non-admin (and admin) users can create junction points in c:” Beaumont explained in his research.  The exploitation method requires nothing more than standard user privileges and basic command line access.

The vulnerability can be exploited through a simple command that creates a symbolic link between the protected inetpub folder and a system file:

This command creates a junction that redirects c:\inetpub to Windows Notepad. Once this junction is established, Windows Update encounters errors when trying to interact with the folder, causing updates to fail or roll back.

“After that point, the April 2025 Windows OS update (and future updates, unless Microsoft fix it) fail to ever install — they error out and/or roll back. So you just go without security updates,” Beaumont noted.

The most concerning aspect of this vulnerability is that it doesn’t require administrative privileges to exploit. 

Standard users can create these junction points on many default-configured systems, potentially preventing critical security updates from being installed system-wide.

This isn’t merely a temporary denial of service – it’s a persistent issue that continues until someone manually resolves the junction or reinstalls the system. 

Security experts warn that this could be easily scripted and deployed by malware or malicious actors seeking to keep systems vulnerable to other exploits.

Beaumont reported his findings to Microsoft’s Security Response Center approximately two weeks ago but has yet to receive a response. 

Until Microsoft addresses this issue, system administrators are advised to monitor the system drive for unusual junction points.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post Microsoft’s Symlink Patch Created New Windows DoS Vulnerability appeared first on Cyber Security News.