Here's a summary of the issue with the inetpub folder in Windows 11, and a temporary fix as suggested by the article:
Why is the Inetpub Folder Vulnerable?
Starting with the April 2025 Windows 11 update, a new empty inetpub folder is created on every system's C drive as a workaround for a prior Windows Update vulnerability.
This new setup allows anyone with local access (even non-admins) to replace the inetpub folder with a directory junction using a command like: mklink /J C:\inetpub C:\Windows\System32\notepad.exe
If abused, this causes Windows Update to malfunction or fail, making it a potential avenue for Denial of Service (DoS) attacks.
The Windows Servicing Stack trusts C:\inetpub and doesn't check for reparse points or ownership, so it could be tricked via this hack.
Temporary Fix Recommended:
You can secure your system until Microsoft issues a patch by restricting permissions on the inetpub folder:
Click "Disable inheritance" and then select "Remove all inherited permissions from this object."
Click "Add" > "Select a principal". Type SYSTEM, click "Check Names", then "OK". Give it Full control.
Repeat for NT SERVICE\TrustedInstaller, again granting Full control.
Click OK on all dialogs to save changes.
This prevents any user (including admins, except for SYSTEM and TrustedInstaller) from modifying the folder, effectively blocking the main method of exploitation.
If you need to revert, go back to Advanced Security Settings, click "Enable inheritance," and remove the custom SYSTEM/TrustedInstaller permissions.