The folder, typically c:\inetpub, reappeared on Windows systems in April as part of Microsoft's mitigation for CVE-2025-21204, an exploitable elevation-of-privileges flaw within Windows Process Activation. Rather than patching code directly, Redmond simply pre-created the folder to block a symlink attack path. //

For at least one security researcher, in this case Kevin Beaumont, the fix also presented an opportunity to hunt for more vulnerabilities. After poking around, he discovered that the workaround introduced a new flaw of its own, triggered using the mklink command with the /j parameter.

It's a simple enough function. According to Microsoft's documentation, mklink "creates a directory or file symbolic or hard link." And with the /j flag, it creates a directory junction - a type of filesystem redirect.

Beaumont demonstrated this by running: "mklink /j c:\inetpub c:\windows\system32\notepad.exe." This turned the c:\inetpub folder - precreated in Microsoft's April 2025 update to block symlink abuse - into a redirect to a system executable. When Windows Update tried to interact with the folder, it hit the wrong target, errored out, and rolled everything back.

"So you just go without security updates," he noted.