For a moment, let’s imagine the typical Windows user: somewhere in the world, blissfully unaware, they dutifully click “Check for Updates,” trusting that the mysterious gears and levers behind Windows Updates will do their job—forever battling zero-day threats, patching holes, and quietly shuffling bits to keep our digital homes safe. But somewhere in the heart of Redmond, someone dared to meddle with the filesystem—and like an unruly Jenga tower, one block (or folder) toppled, exposing a new path for trouble: a humble directory called “inetpub”.
Not long ago, inquisitive users spotted a fresh folder on their systems after Patch Tuesday rolled around. Its name? “inetpub”—not exactly the most ominous-sounding thing you might find on your C: drive, but for the security-conscious (or the paranoid), nothing crops up by accident on Windows. Amusingly, deletion seemed to inflict no visible harm. No blue screens. No sirens. No “HFS+ Partition Not Found” flashbacks. But when asked, Microsoft’s response was classic: don’t touch it. The corporate equivalent of your mom catching you with your hand in the cookie jar and warning, “Just don’t.”
Official explanation? The folder is a byproduct of Microsoft’s fix for a recently patched privilege escalation flaw—CVE-2025-21204. It’s the glittering legacy of an issue that involved symlink escalation in the Windows servicing stack, a classic slice of the never-ending pie buffet known as “Windows security vulnerabilities.”
But before you take a deep breath, convinced all is well, a new twist emerges—one that could turn even the calmest IT pro’s hair a lovely shade of database gray.
After Microsoft’s fix, every updated Windows machine nonchalantly sports the C:\inetpub folder—ostensibly to block future exploitation of the patched CVE. It’s like digging a moat, then leaving the drawbridge down because “it’s fine, really.”
But British security researcher Kevin Beaumont noticed something downright diabolical. He discovered that non-administrators (yes, your lovely accounting intern or a malware-laden chocolate bar) can use a simple command-line incantation to render your entire patching regimen defunct. The weapon? The humble
Run this as a non-admin:
Voilà! instant sabotage. By creating a symlink junction, you trick Windows Servicing into a fatal error—one that’s determined enough to persist across reboots, retries, and desperate prayers. From this moment forward, Windows Update will fail spectacularly: no more patches, no more security updates. Just a neon “Hack Me” sign blinking atop your corporate infrastructure.
If the folks grabbing coffee in your office seem blissfully unaware, it’s probably because they haven’t realized that a default folder could be weaponized against every Windows PC in the universe. Oh, the whimsical wonder of IT risk management.
Kevin Beaumont, for his part, took his discovery straight to Microsoft’s Security Research Center (MSRC), likely drafting his email with one hand while facepalming with the other. Their response? Crickets. (Of course, the red-hot potato is currently in their inbox, destined for a glorious cameo in next month’s patch.)
To clarify: this isn’t a momentary Denial of Service. This is the IT equivalent of gluing your house’s circuit breaker shut. The trap persists until someone manually unravels the knot (or, more likely, wipes the system and starts again). It’s the kind of easily scripted, persistent issue that makes ransomware writers rub their palms and sysadmins break out the premium antacid.
There’s a certain poetic justice here: for decades, IIS’s “inetpub” was the first place to look for lurking vulnerabilities in exposed web servers. Now, apparently, it’s back—this time as a cross-system booby trap.
Imagine the attack chain: A mildly clever insider (or even a run-of-the-mill script kiddie with tie-dye aspirations) could disable updates on hundreds—thousands—of endpoints across your estate by running one line of code. All without so much as admin rights or a whiff of PowerShell wizardry.
This is more than an embarrassment—it’s a true root cause of operational headaches. Forget APTs leaping the boundaries of your firewall. These are vulnerabilities sitting quietly at the lunch table next to everyone. All a user needs is CMD and basic typing skills.
Even better, how about an adversary with lateral movement capabilities? They could automate this, weaponizing Active Directory logins. Suddenly, defender visibility shrinks faster than your weekend plans after a Friday incident call.
If you ever wondered why “defense in depth” is more than just management’s favorite slogan, here’s your answer. The best-laid patching plans are only as robust as the weakest, least-defended door—and right now, that door is stamped “inetpub”.
For months, Windows admins have been hit with a relentless, sometimes contradictory cycle of “DO NOT TOUCH” system files—often for little more than the sin of curiosity. But now the warning is tinged with a little irony: don’t touch it, because touching it the wrong way lets others untouch your system’s security posture forever.
Imagine the helpdesk calls. Patches fail to install, error logs stack up, and time—your organization’s most precious, unrenewable resource—spirals into the abyss. The only solution is a nuanced bit of manual cleaning, carefully dismantling the malcontent symlink. Cue frustrated online guides, questionable registry hacks, and frantic posts on forums from users who would rather be doing anything else.
For security teams already burdened by zero-day alerts and log fatigue, this lands right in the “irritable” zone on their threat radar. Not outright “drop everything and panic,” but certainly worthy of an emergency coffee run.
On the plus side, knowledge is power. With the attack in the wild (and in the hands of researchers, not just threat actors), there’s a heightened chance for a fix before widespread exploitation. Most users and organizations will happily go about their business, ignorant of the cyber shadow play unfolding two directories from their photos folder. But for those in the know? Another day, another malware vector, another pane of glass to patch (or break).
Switching operating systems is, as any world-weary admin will tell you, trading one set of irks for another. But at least on Linux, you’re more likely to be the one accidentally borking your own update system, rather than an enterprising teenager on a public PC.
But hey, at least you’re never bored. And next time someone asks if you’ve “checked the inetpub folder,” you’ll have a story—one filled with symbolic links, denial-of-service drama, and just the right amount of dry Microsoft-induced panic to keep the forums buzzing.
Raise a cup to the endlessly inventive world of Windows security, where every patch is both victory and prelude. And remember: next Patch Tuesday, check your folders—carefully. Your updates may depend on it.
Source: Neowin Microsoft's official 'inetpub' folder lets hackers permanently block Windows updates on PCs
When Microsoft Gives You a Folder, Hackers See an Opportunity
Not long ago, inquisitive users spotted a fresh folder on their systems after Patch Tuesday rolled around. Its name? “inetpub”—not exactly the most ominous-sounding thing you might find on your C: drive, but for the security-conscious (or the paranoid), nothing crops up by accident on Windows. Amusingly, deletion seemed to inflict no visible harm. No blue screens. No sirens. No “HFS+ Partition Not Found” flashbacks. But when asked, Microsoft’s response was classic: don’t touch it. The corporate equivalent of your mom catching you with your hand in the cookie jar and warning, “Just don’t.”Official explanation? The folder is a byproduct of Microsoft’s fix for a recently patched privilege escalation flaw—CVE-2025-21204. It’s the glittering legacy of an issue that involved symlink escalation in the Windows servicing stack, a classic slice of the never-ending pie buffet known as “Windows security vulnerabilities.”
But before you take a deep breath, convinced all is well, a new twist emerges—one that could turn even the calmest IT pro’s hair a lovely shade of database gray.
The Symlink Shuffle: How Malware Can Take the Floor
Here’s how it all breaks down: Symbolic links (symlinks or soft links) are a convenient Windows feature, a filesystem power trick letting you point one folder or file at another. In theory, a good thing. But in practice, they’re a little like handing out skeleton keys to your digital castle—as long as you know which doors to open (or jam shut).After Microsoft’s fix, every updated Windows machine nonchalantly sports the C:\inetpub folder—ostensibly to block future exploitation of the patched CVE. It’s like digging a moat, then leaving the drawbridge down because “it’s fine, really.”
But British security researcher Kevin Beaumont noticed something downright diabolical. He discovered that non-administrators (yes, your lovely accounting intern or a malware-laden chocolate bar) can use a simple command-line incantation to render your entire patching regimen defunct. The weapon? The humble
mklink /j command.Run this as a non-admin:
mklink /j c:\inetpub c:\windows\system32\notepad.exeVoilà! instant sabotage. By creating a symlink junction, you trick Windows Servicing into a fatal error—one that’s determined enough to persist across reboots, retries, and desperate prayers. From this moment forward, Windows Update will fail spectacularly: no more patches, no more security updates. Just a neon “Hack Me” sign blinking atop your corporate infrastructure.
If the folks grabbing coffee in your office seem blissfully unaware, it’s probably because they haven’t realized that a default folder could be weaponized against every Windows PC in the universe. Oh, the whimsical wonder of IT risk management.
Beaumont’s Bug: Risky Business Meets User “Convenience”
Let’s be honest: this isn’t the first time a patch has inadvertently introduced a new, even more entertaining flavor of vulnerability. In fact, it’s something of a rite of passage for any enterprise OS. But there’s a unique elegance to the kind of vulnerability that only requires the default, non-admin user. Forget privilege escalation—this is just plain escalation of inconvenience.Kevin Beaumont, for his part, took his discovery straight to Microsoft’s Security Research Center (MSRC), likely drafting his email with one hand while facepalming with the other. Their response? Crickets. (Of course, the red-hot potato is currently in their inbox, destined for a glorious cameo in next month’s patch.)
To clarify: this isn’t a momentary Denial of Service. This is the IT equivalent of gluing your house’s circuit breaker shut. The trap persists until someone manually unravels the knot (or, more likely, wipes the system and starts again). It’s the kind of easily scripted, persistent issue that makes ransomware writers rub their palms and sysadmins break out the premium antacid.
Wait, Shouldn’t Inetpub Be Familiar?
Seasoned Windows hands might experience a bit of déjà vu. “inetpub” is the default root for IIS (Internet Information Services), Microsoft’s venerable web server. But this “inetpub” has nothing to do with actual web serving—the new folder is merely a side effect of Microsoft’s fix. It’s a modern, unwanted houseguest with an old, respected name. Sure, deleting it causes no immediate pain, but Windows, being Windows, would like you to kindly refrain.There’s a certain poetic justice here: for decades, IIS’s “inetpub” was the first place to look for lurking vulnerabilities in exposed web servers. Now, apparently, it’s back—this time as a cross-system booby trap.
Real-World Implications: The Soft Spot in Systems Hardening
What does this mean in practice for IT professionals and sysadmins, you ask? Well, let's just say “least privilege” just took another punch to the gut.Imagine the attack chain: A mildly clever insider (or even a run-of-the-mill script kiddie with tie-dye aspirations) could disable updates on hundreds—thousands—of endpoints across your estate by running one line of code. All without so much as admin rights or a whiff of PowerShell wizardry.
This is more than an embarrassment—it’s a true root cause of operational headaches. Forget APTs leaping the boundaries of your firewall. These are vulnerabilities sitting quietly at the lunch table next to everyone. All a user needs is CMD and basic typing skills.
Even better, how about an adversary with lateral movement capabilities? They could automate this, weaponizing Active Directory logins. Suddenly, defender visibility shrinks faster than your weekend plans after a Friday incident call.
If you ever wondered why “defense in depth” is more than just management’s favorite slogan, here’s your answer. The best-laid patching plans are only as robust as the weakest, least-defended door—and right now, that door is stamped “inetpub”.
Microsoft’s Communications: Where Silence Speaks Volumes
It’s hard not to marvel at Microsoft’s initial stone-faced warning. “Don’t delete the folder,” they said, as if they, too, were just discovering the fun times embedded in their own OS. But the absence of a timely comment or fix from the MSRC feels like a plot twist in a season finale: you know something huge is about to happen—just not sure if it’s injury time or sudden death.For months, Windows admins have been hit with a relentless, sometimes contradictory cycle of “DO NOT TOUCH” system files—often for little more than the sin of curiosity. But now the warning is tinged with a little irony: don’t touch it, because touching it the wrong way lets others untouch your system’s security posture forever.
Persistence, Exploitability, and the Joys of Messy Recovery
Let’s drill down: the vulnerability isn’t just theoretically dangerous—it’s deliciously persistent. The attack survives reboots, avoids any need for privilege escalation, and leaves your endpoint stuck in an endless update loop of failure and rollback.Imagine the helpdesk calls. Patches fail to install, error logs stack up, and time—your organization’s most precious, unrenewable resource—spirals into the abyss. The only solution is a nuanced bit of manual cleaning, carefully dismantling the malcontent symlink. Cue frustrated online guides, questionable registry hacks, and frantic posts on forums from users who would rather be doing anything else.
For security teams already burdened by zero-day alerts and log fatigue, this lands right in the “irritable” zone on their threat radar. Not outright “drop everything and panic,” but certainly worthy of an emergency coffee run.
Not All Doom and Gloom (But Close)
All right—deep breath. This isn’t the End of Days for Windows system security, but it’s another vivid reminder: complexity is the enemy of security, and kludgy post-patch workarounds can sometimes break worse than what they’re meant to fix.On the plus side, knowledge is power. With the attack in the wild (and in the hands of researchers, not just threat actors), there’s a heightened chance for a fix before widespread exploitation. Most users and organizations will happily go about their business, ignorant of the cyber shadow play unfolding two directories from their photos folder. But for those in the know? Another day, another malware vector, another pane of glass to patch (or break).
Should You Panic-Migrate to Linux?
If the answer was ever yes, this isn’t quite the breaking point—but it’s another bullet point on why simplicity, transparency, and privilege separation matter. Windows remains the world’s favorite blend of productivity and unpredictability. Will Microsoft plug the gap in time? Absolutely—eventually. But the lull between disclosure and patch is the golden hour for both attackers and nervy, overcaffeinated Rapid Response Teams.Switching operating systems is, as any world-weary admin will tell you, trading one set of irks for another. But at least on Linux, you’re more likely to be the one accidentally borking your own update system, rather than an enterprising teenager on a public PC.
Steps IT Professionals Should Take Now (But Probably Won’t)
Let’s be clear: hope is not a strategy. Until Microsoft issues a patch—which they undoubtedly will—a few best practices are in order:- Audit and Limit User Rights: Even if this exploit doesn’t require admin, re-double your effort to confine what non-admins can do on endpoints. Group Policies are your friend; the fewer surprise folders users can touch, the better.
- Monitor Changes: Get alerts for weird filesystem manipulations—especially new symlinks in system directories. It might save your skin (or at least your weekend).
- Script a Remediation: If your org is feeling proactive, cookie-cutter PowerShell scripts to inspect, clean, and restore the “inetpub” folder to its bland, inert state may keep update pipelines alive.
- User Education: Let users know that running strange commands found on Reddit is a bad idea. Not that they’ll listen, but at least you tried.
- Patch Promptly: When (not if) Microsoft fixes this, for the love of all that is caffeinated, roll it out fast and wide. Otherwise, prepare to learn far more about the Windows servicing stack than you ever wanted.
A Final Word: The Sisyphean Tragedy of Patch Management
At the end of it all, the “inetpub” saga is just another day in the wonderful world of endpoint administration. Like Sisyphus, IT pros push the update boulder uphill, only for a folder—blessed by Microsoft, cursed by happenstance—to roll it all right back down again.But hey, at least you’re never bored. And next time someone asks if you’ve “checked the inetpub folder,” you’ll have a story—one filled with symbolic links, denial-of-service drama, and just the right amount of dry Microsoft-induced panic to keep the forums buzzing.
Raise a cup to the endlessly inventive world of Windows security, where every patch is both victory and prelude. And remember: next Patch Tuesday, check your folders—carefully. Your updates may depend on it.
Source: Neowin Microsoft's official 'inetpub' folder lets hackers permanently block Windows updates on PCs
