CVE-2025-21204

Name of the Vulnerable Software and Affected Versions Windows versions prior to February 2025 Patchday

Description A flaw exists in the Windows Update Stack related to improper link resolution before file access. Successful exploitation of this issue, identified as CVE-2025-21204, allows an attacker with low privileges to elevate their permissions and potentially gain SYSTEM-level access. The vulnerability stems from the Windows Update Stack incorrectly handling symbolic links on unpatched systems, enabling attackers to manipulate file access. A researcher discovered that even non-administrative users could exploit this issue to block Windows updates by creating a junction between C:inetpub and any system file. Microsoft created the C:inetpub folder as part of a security update to mitigate this vulnerability, and users are advised not to delete it. The creation of this folder has been observed even on systems without Internet Information Services (IIS) installed. A proof-of-concept exploit has been published.

Recommendations Do not delete the C:inetpub folder, regardless of whether IIS is enabled. If the C:inetpub folder was deleted, restore it by installing Internet Information Services from the Windows Features control panel. Monitor for the creation of junctions or changes to system files. Ensure systems are updated regularly.