Great writeup of CVE-2025-21204, the one that resulted in that bizarre C:\inetpub folder. Comes with a PoC that seems legit:
https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/
Edited 40d ago
@mttaggart
Wait, is the vulnerability just that c:\ProgramData\Microsoft\UpdateStack is writable? The inetpub thing almost seems incidental.
@mttaggart
Okay, I'm going to call this a fake. I tested on an unpatched Server 2022 box. The exploit code does "work"; however C:\Users\Public is already writable by INTERACTIVE. The cve2025-proof.log is owned by the user running the script, not SYSTEM or TrustedInstaller.
When I initially ran the script, I got the error:
At C:\temp\test-exploit.ps1:120 char:2
+ [!] Exploit failed
+ ~
Missing type name after '['.
plus a few after that, I just removed the braces from the output to work around it.
When the script tries to create the junction, it get the error "The system cannot find the path specified."
Dunno, maybe I'm holding it wrong.
@FritzAdalis I also had to remove the braced characters (PS hates emoji), and I am not 100% on this, which is why I said "seems legit." The exploit did run on my machine with reasonable evidence.
@mttaggart @FritzAdalis The bigger problems here is PS hating on emojis... 😔