inetpub folder Archives

Winsage

April 25, 2025

Windows “inetpub” security fix can be abused to block future updates

A recent Microsoft security update has created a new 'inetpub' folder in the root of the system drive, linked to a fix for a Windows Process Activation elevation of privilege vulnerability (CVE-2025-21204). This folder has appeared on systems without Internet Information Services (IIS) installed. Microsoft advises users not to delete the folder, as it enhances system protection. However, cybersecurity expert Kevin Beaumont has shown that the 'inetpub' folder can be manipulated by non-administrative users to create a junction that redirects to a Windows file, potentially obstructing future Windows updates and resulting in a 0x800F081F error code. Microsoft has classified this issue as "Medium" severity and has closed the case, indicating it may be addressed in future updates.

Winsage

April 25, 2025

Microsoft’s Patch for Symlink Vulnerability Introduces New Windows Denial-of-Service Flaw

In early April 2025, Microsoft addressed a security vulnerability (CVE-2025-21204) related to symbolic links in the Windows servicing stack, specifically affecting the c:inetpub directory used by Internet Information Services (IIS). The updates created the c:inetpub folder with appropriate permissions to mitigate risks. However, this fix introduced a new denial-of-service (DoS) vulnerability, allowing non-administrative users to create junction points on the c: drive, disrupting the Windows Update mechanism. A command such as "mklink /j c:inetpub c:windowssystem32notepad.exe" could be used to exploit this flaw, preventing systems from receiving future security patches. As of April 25, Microsoft had not released a patch or acknowledged the issue, leaving systems vulnerable and emphasizing the need for monitoring user permissions and manually removing suspicious symlinks.

Winsage

April 24, 2025

Microsoft mystery folder fix might need a fix of its own

Microsoft's recent patch for CVE-2025-21204 inadvertently reintroduced the inetpub folder at c:inetpub as part of its mitigation strategy, raising concerns among system administrators. Security researcher Kevin Beaumont discovered that this folder created a new vulnerability when he used the mklink command with the /j parameter to redirect the folder to a system executable (notepad.exe). This allowed standard users to prevent Windows updates without administrative rights, as the command could be executed on default-configured systems. Beaumont has notified Microsoft of this vulnerability, but the company has not yet responded.

Winsage

April 24, 2025

An empty folder in Windows that «cannot be deleted» can permanently block OS updates

The inetpub folder, introduced in the April update of Windows 11 (version 24H2) as part of a fix for the CVE-2025-21204 vulnerability, has raised concerns among security researchers. It can be manipulated to block Windows updates without administrative rights by creating a symbolic link to notepad.exe, which can lead to a rollback of patches and leave the system vulnerable. Microsoft has not yet responded to this issue, and the possibility of a patch to address the new vulnerability is still open.

Winsage

April 24, 2025

Microsoft security patch opens up new security vulnerability

Microsoft's recent update aimed at fixing a security vulnerability (CVE-2025-2104) has unintentionally created an "inetpub" folder on the system drive of Windows operating systems. This folder's creation has raised concerns among IT security researchers, particularly Kevin Beaumont, who warns that it could lead to issues with Windows updates. Users can create junctions that redirect to the "inetpub" folder, potentially causing failures in installing updates and leaving systems vulnerable. Microsoft has stated that the "inetpub" folder should not be deleted and that its presence is part of security enhancements.

Winsage

April 24, 2025

Windows 11’s mysterious ‘inetpub’ folder might be more dangerous than we thought

Windows 11 users have been warned about a potential vulnerability associated with the inetpub folder, introduced in the April 2025 security update. Security researcher Kevin Beaumont raised concerns that hackers could exploit this folder to disable essential security updates by creating "junction points" within the system's directory. This could lead to installation errors or force a rollback to previous system states due to a denial of service (DoS) vulnerability in the Windows servicing stack. Microsoft stated that the inetpub folder is part of a security patch (CVE-2025-21204) and advised against deleting it, claiming that removal would not impact system performance.

Winsage

April 24, 2025

Windows 11’s crucial new ‘inetpub’ folder is laughably easy to hack

A new folder named "inetpub" appeared on many Windows PCs after an April update, initially thought to be a glitch. Microsoft later stated that this folder was introduced to enhance Windows security by addressing the CVE-2025-21204 vulnerability. However, security researcher Kevin Beaumont revealed that the inetpub folder could allow attackers to bypass critical security updates. Beaumont proposed creating a junction point in the C: directory to prevent the inetpub folder's creation, which would also block the installation of the April update and subsequent security updates, leaving PCs vulnerable. This situation could lead to error messages and failed update rollbacks, with attackers able to exploit these issues without elevated privileges. Beaumont has informed Microsoft about the problem, but a response has not yet been received.

Winsage

April 16, 2025

Don’t Delete This Empty Folder on Windows 11

The "inetpub" folder, which appeared after the latest Patch Tuesday update on Windows 11, is part of a security enhancement addressing the CVE-2025-21204 vulnerability that could allow attackers to modify system files. Users are advised not to delete this folder, as it contributes to increased protection. If deleted, it can be restored by navigating to Control Panel > Programs > Programs and Features, selecting "Turn Windows features on or off," checking the box next to Internet Information Services, and clicking OK. This process recreates the folder with the same security protections.

Winsage

April 15, 2025

Don’t delete inetpub folder. It’s a Windows security fix

A new folder, typically located at C:inetpub, appears on Windows systems after installing the April Patch Tuesday updates for Windows 10 and 11. This folder is created as a security measure related to the vulnerability CVE-2025-21204, which could allow unauthorized access to system-level file management. Microsoft advises users to leave this folder untouched, as it is established with read-only SYSTEM-level access to prevent privilege escalation exploits. The folder will be created even if Internet Information Services (IIS) is not installed, and there are currently no known exploits for CVE-2025-21204. If the folder is deleted, it can be recreated by enabling IIS in the Windows features settings. Users can also manually create the folder with the appropriate permissions if desired.

Winsage

April 14, 2025

No, it’s not OK to delete that new inetpub folder

Microsoft has introduced a new inetpub folder located at %systemdrive%inetpub on user devices as part of the April Patch Tuesday updates to enhance system protection. This folder is associated with Internet Information Services (IIS), which is not installed by default. Microsoft advises that this folder should not be deleted, regardless of whether IIS is active. The vulnerability CVE-2025-21204 allows an authenticated attacker to elevate privileges locally, enabling them to perform file management operations on the victim machine. The "link following flaw" refers to inadequate prevention of filename linking to unintended resources, and mitigating this risk involves denying access to specific files and setting appropriate folder permissions. The inetpub folder serves as a protective measure against potential exploitation of vulnerabilities.