So, let me try and understand this.
According to what you have written, and the MSDN documentation on this CreateIpForwardEntry2 call, you need to be (at least) a member of the Administrators group. So how is this "security vulnerability" any different to me creating a program, which will require the same Administrative rights, to say, wipe the boot configuration file?
