@mttaggart
Okay, I'm going to call this a fake. I tested on an unpatched Server 2022 box. The exploit code does "work"; however C:\Users\Public is already writable by INTERACTIVE. The cve2025-proof.log is owned by the user running the script, not SYSTEM or TrustedInstaller.

When I initially ran the script, I got the error:
At C:\temp\test-exploit.ps1:120 char:2
+ [!] Exploit failed
+ ~
Missing type name after '['.

plus a few after that, I just removed the braces from the output to work around it.

When the script tries to create the junction, it get the error "The system cannot find the path specified."

Dunno, maybe I'm holding it wrong.

@FritzAdalis I also had to remove the braced characters (PS hates emoji), and I am not 100% on this, which is why I said "seems legit." The exploit did run on my machine with reasonable evidence.