In April 2025, Microsoft's Patch Tuesday updates aimed to address several security vulnerabilities in Windows operating systems. Among these was a fix for CVE-2025-21204, a privilege escalation vulnerability in the Windows Update Stack. However, this update inadvertently introduced a new security issue related to directory junctions, specifically involving the creation of the INLINECODE0 folder.

Background on CVE-2025-21204

CVE-2025-21204 is a vulnerability in the Windows Update Stack that allowed local attackers to escalate privileges by exploiting improper handling of symbolic links (symlinks) within the update process. By manipulating these symlinks, an attacker could redirect update processes to execute arbitrary code with elevated privileges. Microsoft addressed this issue by introducing the INLINECODE1 directory in the April 2025 update. This directory was intended to act as a protective measure, preventing unauthorized symlink creation in critical update directories. (microsoft.com)

Introduction of the INLINECODE2 Folder

The creation of the INLINECODE3 folder was a strategic decision by Microsoft to enhance system security. Traditionally, the INLINECODE4 directory is associated with Internet Information Services (IIS), Microsoft's web server software. However, in this context, its creation serves as a safeguard against potential symlink attacks targeting the Windows Update Stack. (microsoft.com)

Emergence of a New Security Flaw

Despite the protective intent behind the INLINECODE5 folder, security researchers discovered that its introduction inadvertently opened a new vulnerability. The issue arises from the handling of directory junctions, a type of symlink in the NTFS file system. An attacker with local access can create a junction point from INLINECODE6 to another location on the system, such as a sensitive file or directory. This misconfiguration can lead to unauthorized access or modification of critical system files. (intruceptlabs.com)

Implications and Impact

The unintended consequence of this vulnerability is significant. It allows local users, including those with standard privileges, to manipulate system directories in ways that were previously restricted. This could lead to:

  • Unauthorized Access: Attackers can gain access to files and directories that should be protected.
  • Privilege Escalation: By redirecting processes to malicious code, attackers can elevate their privileges within the system.
  • System Instability: Manipulating critical system directories can lead to system crashes or unpredictable behavior.

Technical Details

The vulnerability exploits the Windows Update Stack's trust in the INLINECODE7 directory. By creating a junction point from INLINECODE8 to another location, an attacker can redirect update processes to execute arbitrary code. This is possible because the update processes follow the junction point without verifying its target, leading to potential code execution with elevated privileges. (intruceptlabs.com)

Mitigation and Recommendations

To address this vulnerability, Microsoft has recommended the following actions:

  • Apply Security Updates: Ensure that all systems are updated with the latest security patches provided by Microsoft.
  • Restrict Junction Point Creation: Implement access control lists (ACLs) to prevent unauthorized users from creating junction points in sensitive directories.
  • Monitor System Directories: Regularly audit and monitor critical system directories for unauthorized changes or junction points.

Conclusion

While Microsoft's April 2025 update aimed to enhance security by addressing CVE-2025-21204, it inadvertently introduced a new vulnerability related to directory junctions. This situation underscores the complexity of system security and the importance of thorough testing and validation of security measures. Users and administrators are advised to stay informed about this issue and implement the recommended mitigation strategies to maintain system integrity.