A newly discovered vulnerability, CVE-2025-21204, poses a significant threat to millions of Windows systems, including various versions of Windows 10, Windows 11, and Windows Server. This high-severity flaw affects the Windows Update Stack, particularly the MoUsoCoreWorker.exe and UsoClient.exe processes, which run with SYSTEM-level privileges. The vulnerability enables local attackers with limited user rights to gain SYSTEM-level access by manipulating trusted update tasks without requiring user interaction. It operates by abusing file system behavior rather than traditional memory corruption, making it stealthier and harder to detect.

At the core of the exploit is the improper handling of NTFS directory junctions (symbolic links) by trusted Windows Update processes. Attackers can create a junction that redirects the legitimate update path (C:\ProgramData\Microsoft\UpdateStack\Tasks) to a malicious folder under their control. When Windows Update services execute scheduled tasks, they unknowingly follow the junction to this attacker-controlled location and run the malicious code with elevated privileges. This technique is described as a "quiet privilege escalation" because it blends into the normal behavior of the operating system, requiring no code injection or advanced exploit techniques.

Microsoft addressed the issue in the April 2025 cumulative update (KB5055523) using an unconventional mitigation, pre-creating a folder (C:\inetpub) on system drives, even on machines that don’t have IIS installed. This measure is part of a broader hardening effort to prevent symbolic link abuse within the Update Stack. Security analysts have also developed detection mechanisms to identify exploitation attempts, such as monitoring symbolic link creations involving Microsoft\UpdateStack and tracking unusual file activities in or around the new inetpub directory.

To protect against this threat, organizations and users should immediately apply the latest security updates, restrict access controls on sensitive update directories, and implement application control policies like AppLocker or WDAC to block symbolic link creation. This vulnerability is part of a broader trend where attackers exploit implicit trust within the file system, rather than using more complex techniques. As emphasized by security researchers, CVE-2025-21204 is a prime example of how trusted execution paths in Windows can be fragile, offering attackers low-noise paths to SYSTEM access and defenders a new category of file-based privilege escalation threats to monitor closely.