April 2025 Windows 11 Update and the Inetpub Folder Mystery: A Deep Dive into Security Implications

April 2025 Windows 11 Update: The Mystery of the Inetpub Folder Explained

Introduction

The April 2025 cumulative update for Windows 11, notably update KB5055523, introduced a curious and unexpected change: the automatic creation of an empty folder named "inetpub" at the root of the system drive (commonly INLINECODE0 ). Traditionally, this folder is associated with Microsoft's Internet Information Services (IIS) web server software and appears only when IIS is enabled. However, its sudden appearance on virtually all Windows 11 machines — even those without IIS installed — has generated confusion and concern among users, IT professionals, and security researchers. This article unpacks this phenomenon, reveals its critical security context, and discusses the implications of the new vulnerabilities it has introduced.

The Origin and Purpose of the Inetpub Folder

The font of this strategy traces back to the mitigation of a significant security vulnerability known as CVE-2025-21204. This vulnerability resides in the way the Windows Update servicing stack handles symbolic links (symlinks), which are filesystem objects that point to other files or directories. Improper resolution of these symlinks during update processes exposed Windows systems to local privilege escalation risks, where an attacker with local access could redirect system operations to unauthorized locations, potentially modifying system files or subverting update integrity.

To counter this, Microsoft introduced the INLINECODE2 folder as a hardened, controlled container with strict system-level permissions. This folder acts as a trusted environment intended to safely stage Windows Update operations involving symlinks, effectively serving as a containment boundary stopping malicious symlink redirect attacks.

Why Is the Folder Empty and Ubiquitous?

The empty INLINECODE3 folder is deliberately lightweight and occupies negligible disk space. Its naming leverages existing Windows conventions tied to IIS, enabling Microsoft to apply familiar and robust security permissions from the system’s security infrastructure to this folder quickly and efficiently.

Microsoft’s Explicit Warning

Microsoft has clearly advised users not to delete this folder. Removing it could disable the protective mechanisms of the update patch, effectively exposing the system to the CVE-2025-21204 vulnerability once again. Should accidental deletion occur, Microsoft recommends restoring the folder by temporarily enabling IIS through the Windows Features control panel or reinstalling the update.

The Paradox: How the Inetpub Folder Became a New Vulnerability

Interestingly, the introduction of the INLINECODE4 folder created a new security risk. Security researcher Kevin Beaumont discovered that any local, non-administrative user could exploit the folder by replacing it with a directory junction (a type of symbolic link specific to directories in NTFS) pointing to any arbitrary path or executable, such as INLINECODE5 .

This is achieved with a simple command:

This redirect fools the Windows Servicing Stack — which runs under the SYSTEM account and trusts the INLINECODE6 folder without verifying if it is a real directory or a junction point — into interacting with unintended targets. Consequently, Windows Update encounters unexpected targets, causing update failures or rollbacks.

This exploit enables denial of service (DoS) conditions by blocking security patches and can be executed without requiring administrator privileges, a significant security lapse allowing local users to sabotage update integrity.

Why Does This Matter?

This new vulnerability highlights several key issues in modern OS security management:

• Complexity of patches: Security mitigations sometimes introduce new attack surfaces.
• Privilege assumptions: Critical system components trusting directory structures without verifying symbolic link status can lead to privilege escalation or sabotage.
• Ease of abuse: Non-admin users can disrupt update mechanisms via simple commands.

Impact on Users and Enterprises

For regular users, the unexpected INLINECODE7 folder may cause confusion, and attempts to delete it might unintentionally reduce system security.

For IT professionals and system administrators, this new vulnerability demands careful attention to patch management policies and the enforcement of strict permissions on the INLINECODE8 folder.

Technical Recommendations and Mitigation

While awaiting an official Microsoft fix, the following temporary mitigations are advisable:

• Harden permissions on the INLINECODE9 folder:
  • Disable inherited permissions and remove all except those absolutely necessary.
  • Grant Full Control only to SYSTEM and TrustedInstaller accounts.
  • Remove write and delete privileges from Administrators and standard users, preventing unauthorized junction creation.
• Educate users: Emphasize following Microsoft's guidance not to delete or tamper with critical system folders.

Conclusion

The April 2025 Windows 11 update’s INLINECODE10 folder saga exemplifies the balancing act modern operating systems perform between patching vulnerabilities and not unintentionally creating new ones. While the folder acts as a key security container against symbolic link exploits targeting Windows Update, the implementation oversight in treating directory junctions as trusted directories opens a fresh avenue for denial-of-service and potential privilege escalation by local users.

This episode underscores the imperative for vigilant, layered, and carefully architected security strategies, the need for thorough validation in patch design, and the importance of informed system administration.

For users and IT professionals, the lesson is to respect and protect even seemingly inconspicuous system folders, as they may hold vital roles in the evolving cybersecurity landscape.