Windows News
Introduction
Windows users worldwide have recently encountered a puzzling development following the April 2025 Patch Tuesday updates for Windows 10 and Windows 11: the automatic creation of an empty folder named inetpub in the root directory of the system drive, usually C:\inetpub. For many, this folder is traditionally associated with Microsoft’s Internet Information Services (IIS), a web server platform, and its unexpected appearance on systems that do not run IIS has led to widespread confusion and questions about its purpose and security implications.
This article aims to decode the mystery behind the inetpub folder’s sudden appearance, provide crucial background information on the security context that motivated its introduction, analyze the emerging exploit risks surrounding this folder, and discuss the implications for end users, IT professionals, and enterprise environments.
Background: What Is the inetpub Folder?
Historically, the inetpub directory is created only when IIS is installed and enabled on a Windows machine. IIS uses this folder to store website files, logs, and scripts necessary to operate web services. For typical Windows users who do not run IIS, this folder normally does not exist.
However, with the release of the April 2025 Patch Tuesday updates (e.g., KB5055523 for Windows 11 24H2 and a matching update for Windows 10), Microsoft began creating an empty inetpub folder automatically on all updated systems, regardless of IIS installation. Despite its emptiness and lack of typical web service content, Microsoft has confirmed this folder’s deliberate creation as a crucial part of a security patch addressing a significant system vulnerability.
The Security Vulnerability: CVE-2025-21204
The driving force behind this change is an important security vulnerability tracked as CVE-2025-21204. This flaw resides in how the Windows Update servicing stack handles symbolic links (symlinks) or directory junctions—advanced filesystem objects that can point to other files or directories.
Symbolic links are akin to shortcuts, allowing one directory or file to redirect to another target. The vulnerability involves improper handling or verification of these symlinks within Windows Update’s system operations. A local attacker could exploit this flaw by placing malicious symbolic links to redirect Windows Update activities to unintended or sensitive parts of the file system.
Such exploitation could result in:
- Privilege escalation, granting attackers unauthorized elevated rights
- Interference or disruption of Windows Update processes
- Unauthorized modification of system files
This flaw is particularly critical as it allows local attackers without administrator privileges to manipulate the update servicing stack, putting system integrity and security patching at risk.
Why the inetpub Folder Was Introduced
Microsoft’s solution as part of the April 2025 update was to preemptively create the inetpub folder as a blank, hardened container with strict system permissions. This folder acts as a secure environment designed to:
- Serve as a trusted location for Windows Update file staging
- Prevent unauthorized symbolic link redirections by ensuring a real directory with controlled access exists
- Reduce attack surface by blocking symlink-based privilege escalation paths linked to the update process
In essence, this "digital moat" is a security-by-design tactic, leveraging filesystem structure and permissions to reinforce Windows system hardening. Although the folder appears empty and inert, its presence is vital to maintaining the integrity of the vulnerability patch.
Microsoft explicitly warns users not to delete the inetpub folder, emphasizing that its removal may disable this security safeguard and expose systems to attack. For those who have accidentally or intentionally deleted it, Microsoft provides recommendations to restore it—such as temporarily enabling IIS to recreate the folder with the correct permissions.
Emerging Exploit: How inetpub Itself Can Be Misused
Despite the original patch’s intent, a security researcher, Kevin Beaumont, discovered a paradoxical new weakness associated with the inetpub folder’s introduction:
- Any standard user—without administrative privileges—can replace the real inetpub folder with a directory junction (a type of symbolic link specific to directories) that points to an arbitrary target file or directory on the system.
Example command:
CODEBLOCK0This redirects all accesses intended for INLINECODE0 to the target specified—in this case, INLINECODE1 .
Because the Windows Update servicing stack runs with SYSTEM privileges and implicitly trusts the inetpub folder, it does not validate whether this folder is a genuine directory or a junction. When redirected, Windows Update tries to operate on the wrong file or folder, causing update failures, patch rollbacks, or denial of service.
Why is this serious?
- This vulnerability allows non-admin local users or malware to disrupt the update process easily.
- It could result in persistent systems with failed or incomplete security patches.
- The exploitation requires no admin rights, lowering the barrier for attackers.
- In shared or multi-user environments, this poses considerable risks to system security and compliance.
Interim Defensive Measures
Microsoft has yet to provide a definitive fix for this newly uncovered junction point exploit. In the meantime, recommended best practices for IT administrators and users include:
Locking Down the inetpub Folder Permissions
- Navigate to INLINECODE2
- Right-click the folder, select Properties
- Go to the Security tab, then click Advanced
- Disable permission inheritance and remove all inherited permissions
- Grant Full Control only to SYSTEM and NT SERVICE\TrustedInstaller
- Apply changes to block all other users—even administrators—from modifying or replacing the inetpub folder
By enforcing these strict access controls, unauthorized users will be prevented from creating malicious junctions that hijack the folder path.
Implications and Impact
The inetpub folder saga highlights critical themes about the complexity of modern operating system security updates:
- Security patches sometimes introduce new operational artifacts that may seem unusual but serve layered defensive purposes.
- Defensive changes can unintentionally open new attack surfaces if architectural assumptions (like implicit trust in directory paths) are not rigorously validated.
- The challenge of balancing system integrity, usability, and security is ongoing, particularly in complex update servicing stacks.
- IT professionals must be vigilant and apply best practices around file system permissions and update monitoring to safeguard environments.
- End users and administrators must avoid deleting the inetpub folder, as doing so weakens critical security protections.
This situation underscores the importance of both security education and robust architectural design in mitigating vulnerabilities in widely used operating systems.
Conclusion
The sudden appearance of the empty inetpub folder on Windows 10 and Windows 11 systems after the April 2025 updates is a calculated, security-driven change by Microsoft designed to mitigate a serious symbolic link vulnerability (CVE-2025-21204). While the folder itself appears benign, it acts as a key defensive container that preserves the integrity of Windows Update.
The discovery of a new exploit involving directory junction manipulation against this folder reveals the multifaceted challenges of securing complex OS components and update mechanisms. Until a formal patch addresses this junction vulnerability, users and administrators are urged to lock down permissions on inetpub to prevent abuse.
Understanding the role of such invisible but powerful security measures helps end users and IT professionals maintain resilient systems against evolving cyber threats.