When Microsoft released the April 2025 security updates for Windows, users from all over the world started to notice that Microsoft's update created an empty folder in the main drive called inetpub.

This led to confusion, as Microsoft was tight lipped initially about the presence of the folder. The official release notes did not include any information about it. Shortly thereafter, Microsoft revealed that it created the folder on purpose to "increase protection". Users and administrators were encouraged to keep the folder and not tinker with it.

Background information: Microsoft created the folder as a direct response to CVE-2025–21204, which allows attackers to use symlinks to elevate privileges.

It turns out now that the creation of the folder may very well be used by cybercriminals for nefarious purposes.

Security researcher Kevin Beaumont shared information about the issue on Medium. Beaumont discovered that Microsoft's fix "introduced a denial of service vulnerability in the Windows servicing stack".

The details:

• Regular users may abuse the issue to stop all Windows security updates.
• It takes a single command to from a regular (non-elevated) prompt to abuse the issue.

All that is required is to create a new symbolic link between the inetpub folder and an application like notepad. Symbolic links do not require elevation, which means that attackers do not need to gain elevated access to a system to block future security updates on it.

Note: The command given by Beaumont on the website seems wrong as mklink /j is used to create junction links that link to a directory and not a file. Unless I'm missing something, it needs to either do away with /j to create a symbolic link or /h to create a hard link. Whether that is also going to block Windows updates is unclear though.

Once run, Windows security updates will no longer install on the target machine according to Beaumont. They will throw an error and roll back. Cybercriminals may use the hack to prevent future security update installs, which may fix security issues that they use to attack systems.

Beaumont says that the only way to resolve this issue is for Microsoft to fix it. He reported the issue to Microsoft but claims that Microsoft has not responded yet.

For this vulnerability to be exploited, cybercriminals need to gain regular access to a Windows machine. All common ways of protecting Windows apply to prevent this from happening, including making sure that Windows is up to date, not installing software from questionable sources, or allowing others to establish remote connections to the system.

Now You: what is your take on this? Would you say that Microsoft needs to be transparent when it comes to making these unannounced changes to Windows? Feel free to leave a comment down below.