Introduction

The April 2025 Windows update, notably the Patch Tuesday release KB5055523, introduced a surprising and somewhat controversial change for many Windows 10 and 11 users: the sudden appearance of an empty folder named INLINECODE0 at the root of their system drives, typically INLINECODE1 . While traditionally associated with Microsoft's Internet Information Services (IIS) — a web server platform for hosting websites and applications — this folder now appears by default, even on systems without IIS enabled.

This article explores the background and rationale behind the inetpub folder’s re-emergence, its connection to the critical Windows vulnerability CVE-2025-21204, the security implications and newly discovered risks, and recommended best practices for users and administrators.

Background: Inetpub and IIS

Historically, the INLINECODE2 folder hosted web content such as HTML files, scripts, logs, and mail routing components whenever IIS was installed and enabled on Windows systems. Thus, on typical consumer or workstation PCs without IIS, the folder was usually absent.

However, the April 2025 update changed this by creating the folder universally, regardless of IIS presence. At first, this caused confusion and suspicion among users, many of whom considered it leftover bloatware or a possible malware artifact.

Understanding CVE-2025-21204 and Its Impact

This move is closely tied to the mitigation of a severe elevation-of-privilege vulnerability identified as CVE-2025-21204. This flaw impacted the Windows Update servicing stack’s handling of symbolic links (symlinks).

Symbolic links in Windows point to other files or directories, similar to shortcuts but enforced at the file system level. The vulnerability arose because Windows could be tricked into following maliciously crafted symlinks during update operations, allowing local attackers—even with low privileges—to redirect system processes to modify or access unauthorized files. This could lead to privilege escalation or corruption of critical system components.

The Role of the Inetpub Folder in the Patch

To counter this threat, Microsoft’s patch created the INLINECODE3 folder as a hardened, empty directory with strict system-level permissions. The goal was to establish a "safe zone" or trusted containment point for certain file staging operations during Windows servicing and updates.

By ensuring this folder exists with locked-down access, Windows can reliably handle symbolic links in this controlled environment, reducing the risk of redirection exploits. Effectively, INLINECODE4 acts as a secure anchor point for the servicing stack to operate safely without being vulnerable to symlink tampering.

New Security Concerns: Junction Point Exploit

Despite its security purpose, the introduction of the INLINECODE5 folder presented a new unforeseen risk discovered by security experts such as Kevin Beaumont.

The vulnerability pertains to directory junctions (a type of symlink specific to directories). Any local user, including those without administrative privileges, can replace the INLINECODE6 folder with a junction pointing to arbitrary files or locations. For example, running the command:

CODEBLOCK0

replaces the folder with a junction to Notepad.exe or any target file.

Because the Windows servicing stack runs with SYSTEM privileges and implicitly trusts INLINECODE7 , it attempts to stage update files into the redirected path, causing update failures, rollbacks, or denial-of-service conditions. This allows any standard user or low-privilege malware to disrupt critical security updates and potentially leave systems vulnerable.

Implications and Risks

The simplicity of this attack and the lack of requirement for elevated privileges make it a serious concern, especially in multi-user environments and enterprise settings where endpoint controls might not fully restrict such filesystem manipulations.

It effectively grants local users—or attackers who gain footholds with limited rights—the power to halt Windows updates, undermining patch management and exposing the system to unpatched threats.

Recommended Mitigations and Best Practices

Until Microsoft issues an official fix, the community recommends hardening the permissions on the INLINECODE8 folder:

  1. Navigate to INLINECODE9 .
  2. Right-click and select Properties.
  3. Go to the Security tab, then Advanced.
  4. Disable inheritance and remove all inherited permissions.
  5. Grant Full Control only to INLINECODE10 and INLINECODE11 .
  6. Ensure no other users or groups have write or delete permissions.

This restricts any modification or replacement of the folder by non-trusted users, blocking the junction attack vector.

Additionally, users are strongly advised not to delete the INLINECODE12 folder, as Microsoft clearly states its presence is critical for the security patch against CVE-2025-21204.

If accidentally removed, restoring the folder involves enabling IIS temporarily via "Turn Windows features on or off" or reinstalling the updates that introduced it, which recreates the folder with appropriate permissions.

Conclusion

The mysterious INLINECODE13 folder appearing after the April 2025 Windows updates represents an innovative but imperfect security strategy by Microsoft. It exemplifies the complexity of modern OS security where even empty folders can play vital roles in defending against sophisticated vulnerabilities.

While it mitigates a serious privilege escalation bug involving symbolic links, the folder’s presence unveiled new risks related to directory junction abuses.

Users and administrators should respect the folder's security purpose, avoid deleting it, monitor folder permissions, and apply recommended mitigations to safeguard Windows against this multi-layered threat.

This episode underscores the intricate balance between robust security measures and maintaining system usability and stability in evolving software landscapes.