A recent security update from Microsoft has inadvertently opened a door to potential vulnerabilities, particularly concerning the newly created ‘inetpub’ folder. This folder, which appears in the root of the system drive following the installation of this month’s Patch Tuesday updates, is typically associated with Microsoft’s Internet Information Services (IIS) web server. However, many users have reported its unexpected presence on systems where IIS is not installed.
Understanding the ‘inetpub’ Folder’s Role
Microsoft has clarified that the creation of the C:inetpub folder is linked to a fix for a Windows Process Activation elevation of privilege vulnerability, identified as CVE-2025-21204. The company has advised users against deleting this folder, emphasizing its role in enhancing system protection. “After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%inetpub folder will be created on your device,” Microsoft stated. They further noted that this behavior does not require any action from IT administrators or end users.
Yet, cybersecurity expert Kevin Beaumont has highlighted a troubling aspect of this update. He has demonstrated that the ‘inetpub’ folder can be manipulated to obstruct future Windows updates. Beaumont’s findings indicate that non-administrative users can create a junction between C:inetpub and a Windows file, such as C:windowssystem32notepad.exe, using a specific command:
mklink /j c:inetpub c:windowssystem32notepad.exeThis command creates a junction, a unique type of folder that redirects access to another folder or file, making it seem as though the content exists in both locations. Beaumont speculates that the update process may fail because it expects the ‘inetpub’ path to lead to a directory rather than a file.
The Implications of the Junction
According to Beaumont, the creation of this junction can lead to installation failures of subsequent security updates, specifically resulting in a 0x800F081F error code. This error indicates that a package or file was not found, complicating the update process for users. Microsoft has classified this issue as “Medium” severity after Beaumont reported it, indicating that while it is a concern, it does not warrant immediate action. The company has closed the case, suggesting that they may address the issue in future updates.
In their correspondence with Beaumont, Microsoft noted, “It does not meet MSRC’s current bar for immediate servicing as the update fails to apply only if the ‘inetpub’ folder is a junction to a file and succeeds upon deleting the inetpub symlink and retrying.”
As the situation unfolds, the implications of this vulnerability remain a topic of interest within the cybersecurity community. BleepingComputer has also reached out to Microsoft for further clarification but has yet to receive a response.
