Introduction

In April 2025, Windows users encountered an unexpected addition to their system drives: a new, empty folder named "inetpub" located at the root of the C: drive. This sudden appearance led to widespread confusion and concern. Microsoft later clarified that this folder's creation was intentional, serving as a mitigation for a critical security vulnerability identified as CVE-2025-21204.

Background on the 'inetpub' Folder

Traditionally, the "inetpub" folder is associated with Microsoft's Internet Information Services (IIS), a web server platform used to host websites and web applications on Windows systems. This folder typically appears only when IIS is manually enabled by the user or administrator, serving as the default directory for storing website files, system logs, and related content.

CVE-2025-21204: The Underlying Vulnerability

CVE-2025-21204 is a security flaw concerning improper handling of symbolic links (symlinks) within the Windows Process Activation service. Symlinks are filesystem objects that point to other files or directories, effectively acting as shortcuts at the system level. The vulnerability allowed local attackers to exploit manipulated symlinks to redirect system file operations, potentially gaining unauthorized elevation of privileges or access to modifying protected system files.

Microsoft's Mitigation Strategy

To address this vulnerability, Microsoft implemented a proactive measure by pre-creating the "inetpub" folder with strict system-level permissions. This folder acts as a hardened container, disrupting attack paths reliant on symlink redirections by occupying the target location. Thus, any attempted symlink from or to this directory would fail or be thwarted, reducing the vulnerability’s exploitability.

Microsoft explicitly advised users and administrators not to delete this folder, emphasizing its critical security role, despite it being empty and consuming negligible disk space. Removing "inetpub" would undermine the security patch, inviting potential system compromise if attackers leveraged the uncovered symlink attacks.

Unintended Consequences: The Junction Point Exploit

Despite the well-meaning security intent, the new "inetpub" folder's creation introduced an unforeseen weakness. Security researcher Kevin Beaumont discovered that using the Windows command INLINECODE0 with the INLINECODE1 parameter, which creates a directory junction (a form of filesystem redirect), an attacker—even one without administrative privileges—could hijack the "inetpub" folder path.

By running a command such as:

CODEBLOCK0

a standard user could replace the pre-created "inetpub" folder with a junction pointing to a critical system executable or another unexpected target. This redirect causes Windows Update to interact with the wrong target and fail, effectively blocking the update process by causing errors that result in rollback of patches.

This attack vector effectively allows non-administrator users to cause a denial-of-service (DoS) against Windows Update, which is highly concerning because it impedes timely and automated security patching of the system—an essential operation for maintaining a secure environment.

Implications for System Administrators and End Users

For IT professionals managing Windows environments, this update-induced "inetpub" junction exploit demands urgent attention. Administrators should incorporate scanning procedures to detect tampered or junction-manipulated "inetpub" folders. The presence of a junction instead of a standard directory should be flagged for immediate remediation.

Users should be reminded never to delete the "inetpub" folder manually; doing so disables protections and risks security exposure. In scenarios where the folder is absent or compromised, restoration involves re-enabling IIS or reinstalling the appropriate update. Equally critical is limiting user permissions to the minimum necessary—standing by the principle of least privilege—to reduce the likelihood of non-admin users creating harmful junctions.

Conclusion

The sudden appearance of the "inetpub" folder on Windows systems following the April 2025 update serves as a reminder of the complexities involved in system security and update management. While Microsoft's intention was to mitigate a critical vulnerability, the approach introduced new challenges that require vigilant oversight from both users and administrators. Understanding the purpose and importance of such changes is crucial in maintaining the integrity and security of Windows systems.