Table of Contents
- Can the April 2025 Windows Update Fix Actually Block Critical Security Patches?
- Background: CVE-2025-21204 and the “inetpub” Folder
- The New Problem: Patch Introduces Another Vulnerability
- Key Points and Implications
- What Should IT Admins and Users Do?
- Conclusion: A Frustrating Setback for Windows Security
Can the April 2025 Windows Update Fix Actually Block Critical Security Patches?
Microsoft’s April 2025 Patch Tuesday introduced a major security update aimed at fixing the Windows symlink vulnerability, CVE-2025-21204. While this patch was supposed to enhance system protection, it has unexpectedly created a new, potentially severe security risk that allows any local user—administrator or not—to block future Windows updates.
Background: CVE-2025-21204 and the “inetpub” Folder
CVE-2025-21204 is a privilege escalation vulnerability in the Windows Update Stack. It allowed attackers with local access to exploit improper link (symlink) resolution, tricking the system into executing malicious files with SYSTEM-level privileges.
Microsoft’s fix, released on April 8/9, 2025, creates a new folder at %systemdrive%\inetpub on all Windows systems, regardless of whether Internet Information Services (IIS) is installed.
Microsoft has warned users not to delete this folder, as it is now part of the system’s security hardening—even if IIS is not in use.
The New Problem: Patch Introduces Another Vulnerability
Security researchers have discovered that the fix itself opens a new vulnerability. Any local user can create a symlink (junction point) from the %systemdrive%\inetpub folder to another file or directory using the mklink command.
For example:
mklink /j c:\inetpub c:\windows\system32\notepad.exe
This command redirects the inetpub folder to the Notepad executable.
If such a junction is created, future Windows updates will fail to install—the update process encounters an error and cannot proceed. This block persists for all subsequent updates until Microsoft addresses the issue.
Key Points and Implications
Any user, not just administrators, can exploit this flaw, which means even standard users can disrupt the update process.
This loophole could be abused by malware or malicious insiders to intentionally prevent security updates, leaving systems exposed to other threats.
Microsoft has been notified of the issue but, as of late April 2025, has not yet released a fix or official guidance for this new vulnerability.
What Should IT Admins and Users Do?
- Do not delete or modify the inetpub folder—it is required for the current security model.
- Monitor for unauthorized symlinks or junctions on the inetpub folder.
- Apply additional hardening (e.g., using AppLocker or WDAC to restrict symlink creation) as a temporary mitigation.
- Stay alert for Microsoft’s updates regarding this issue and be prepared to deploy further patches as soon as they are available.
Conclusion: A Frustrating Setback for Windows Security
This situation highlights a negative outcome: a patch intended to resolve a serious vulnerability has inadvertently introduced a new, easily exploitable flaw. Until Microsoft delivers a comprehensive fix, organizations and users must remain vigilant and take extra steps to protect their systems from both privilege escalation and update disruption.