Do Son 
Microsoft’s attempt to address a vulnerability in April’s Windows updates has inadvertently introduced a troubling side effect—any user, even without administrative privileges, can now deliberately block all future operating system updates, including critical security patches.
The original flaw, tracked as CVE-2025–21204 (CVSS score: 7.8), allowed attackers to escalate privileges by exploiting symbolic links within the c:\inetpub directory. As a remedy, Microsoft opted to pre-create this directory on all machines beginning with the April updates for Windows 10 and 11. On the surface, it appeared a simple and effective solution: create the folder in advance to prevent its misuse in malicious exploits. However, the implementation failed to account for all potential system behaviors.
The result was an unintended vulnerability—arguably even more severe. Security researcher Kevin Beaumont discovered that a standard command—mklink /j—could be used to create a junction point redirecting the c:\inetpub folder to any chosen system file. Demonstrating the flaw, Beaumont linked it to notepad.exe. Once redirected, any attempt by Windows Update to interact with inetpub would fail, causing the update process to revert.
For example, the command might be:
mklink /j c:\inetpub c:\windows\system32\notepad.exe
This command can be executed in a standard command prompt launched via Win+R → cmd, with no elevated privileges required. After execution, inetpub becomes a symbolic link pointing to the Notepad executable—or any other file or location the user designates.
What happens next is not immediately apparent, but critically important. Beginning with the April 2025 update cycle, Windows Update expects inetpub to be a conventional directory. If it encounters a junction instead, the update process fails. Some updates refuse to install, others may roll back mid-installation, while some may appear to succeed without actually applying changes. The system may not even alert the user that protection remains outdated.
In effect, security updates are silently disabled—not only the current patch but all subsequent ones—until the junction is removed or the corrupted directory is manually restored. This creates ideal conditions for sabotage within an organization, circumvention of security policies, or even targeted disruption of IT infrastructure.
The vulnerability was reported to the Microsoft Security Response Center (MSRC) approximately two weeks ago, yet an official response remains pending. Should Microsoft acknowledge the issue, it will likely need to revise its method for pre-configuring the inetpub directory or implement additional validation checks during the update process.
At present, no official mitigation has been issued. The only effective countermeasure is manual oversight—ensuring the integrity of the c:\inetpub structure and restricting permissions to prevent unauthorized modifications. In enterprise environments, the deployment of file integrity monitoring and audit logging systems may help detect unauthorized changes to the root system directory.
Until Microsoft releases a proper fix, Windows contains a latent flaw whereby any user—regardless of privilege level—can obstruct updates and effectively leave the system unprotected.
