When Microsoft released the April 2025 security update for Windows, users from all over the world started to note that Microsoft’s update made an empty folder in the main drive called Intpub.
This led to confusion, as Microsoft was initially harassed about the appearance of the folder. Official release notes did not include any information about it. Soon after, Microsoft revealed that it created a folder for the purpose of “increasing security”. Users and administrators were encouraged to hold folders and were not tampered with.
Background information: Microsoft created a folder as a direct response to the CVE-2025–21204, which allows the attackers to use a synown to elevate privileges.
It is now revealed that the construction of the folder can be used very well for nefarious purposes by cyber criminal.
Security researcher Kevin Beomont shared information about this issue On mediumBuomont found that Microsoft’s fix launched “refusal to serve in Windows servicing stack”.
Description:
- Regular users can misuse the problem to prevent all Windows security updates.
- It takes a single command from a regular (non-relative) signal to misuse the issue.
It is all necessary to create a new symbolic link between the intepub folders and applications such as the notepad. The symbolic link does not require height, which means that the attackers do not need to achieve height to a system to block future safety updates.
Comment: The command given by Beaumont on the website seems wrong because Mklink /J is used to create a junction link that links to a directory and not the file. Until I am missing anything, there is a need to remove with either /J to make a symbolic link or /H to create a hard link. Is this also going to block Windows updates, although it is not clear.
Once run, Windows Security Updates will no longer be installed on the target machine according to the Beom. They will throw an error and roll back. Cyber criminals can use hacks to prevent future safety updated installs, which can fix safety issues that they use to attack the system.
Buomont says that the only way to solve the issue is to fix Microsoft. He reported the issue to Microsoft, but claimed that Microsoft had not yet responded.
To exploit this vulnerability, the cyber criminal needs to get regular access to the Windows machine. All common methods of protecting windows are applied to prevent it from happening, including to ensure that Windows is updated, not installing software from suspicious sources, or allowing others to establish distance connections in the system.
Now you: What do you have to take on this? Would you say that Microsoft needs to be transparent when it comes to making these undeclared changes in Windows? Feel free to leave a comment below.
Thanks for reading..
