MS's patch for symlink vulnerability introduces another symlink vulnerability
a year ago
- #Microsoft
- #Vulnerability
- #Security
- Microsoft patched CVE-2025–21204, a symlink privilege escalation vulnerability.
- The fix involves precreating the c:\inetpub folder on all Windows systems starting April 2025 updates.
- This fix introduces a new denial of service vulnerability in the Windows servicing stack.
- Non-admin users can create a junction point from c:\inetpub to c:\windows\system32\notepad.exe.
- This action prevents future Windows security updates from installing, causing systems to remain unpatched.
- The issue was reported to MSRC two weeks ago with no response yet.