The creation of the inetpub folder on Windows systems by the April 2025 cumulative update has sparked significant discussion in the Windows community for its dual role as a security measure and a potential vulnerability. Historically, the "C:\inetpub" directory is tied to Microsoft's Internet Information Services (IIS), a web server framework, and is usually only present on machines running IIS. However, starting with Windows 11 and Windows 10 updates in April 2025, every system now includes this folder, even if IIS is not installed or actively used. This seemingly innocuous directory serves an unexpected but important role in patching a critical Windows security vulnerability, yet it also introduces a new vector for exploitation if improperly handled.
The inetpub folder was introduced as part of a security patch addressing vulnerability CVE-2025-21204, which involved how Windows resolved symbolic links (symlinks) within the Windows Update stack. This vulnerability allowed attackers with local access to create and abuse symlinks that could cause Windows to interact with unintended files or directories. Exploiting this flaw, an attacker might escalate privileges or disrupt system operations by redirecting sensitive file operations.
To counter this, Microsoft’s April 2025 update mandates the existence of the inetpub folder as a locked-down directory with strict permissions, creating a controlled environment that prevents unauthorized redirection through symlinks during system updates. Operating with SYSTEM-level privileges, the Windows Servicing Stack treats this directory as trusted and expects to stage update files there safely. Creating a dedicated directory with high restrictions mitigates the risk from symbolic link attacks, effectively acting as a "safe zone" or decoy to manage critical update operations and block redirection attacks.
Microsoft explicitly advises users not to delete this folder. Even though the directory is empty on most systems, its absence could disable the patch’s protective mechanisms, exposing the system again to symbolic link vulnerabilities and possible privilege escalation exploits. Users who mistakenly delete inetpub are encouraged to recreate the folder via enabling IIS through Windows Features or by reinstalling the update to restore the folder correctly with appropriate permissions.
Using a command like
What makes this vulnerability especially concerning is that executing the
Failed updates mean critical patches and security fixes do not apply, leaving systems vulnerable to other exploits and attacks. Moreover, the resulting error messages from update failures are often vague and non-indicative of a symlink/junction issue, complicating troubleshooting efforts for administrators.
This junction point vulnerability embodies a classic Windows security challenge: trusting symbolic links or junctions without proper validation and ownership checks. Although the patch was intended to fix a symbolic link vulnerability, it inadvertently introduces another symlink-related issue by allowing non-admin tampering with a privileged folder path.
If users encounter update errors after applying these permission changes, they may also need to reset Windows Update components before restoring permissions, ensuring the update infrastructure works without corruption.
Further, the automatic presence of inetpub—even on machines that do not run IIS—has caused confusion and erroneous assumptions by users, leading to attempts to delete the folder. Since the directory is essential for the patch's security, such deletions undo protections and require manual restoration steps that could burden less technical users.
From an IT management perspective, the silent creation of inetpub underscores the importance of educating users on update changes and the criticality of not removing system folders without clear guidance. Windows updates increasingly embed security features that may initially appear strange or unnecessary but are integral to system integrity.
Administrators should incorporate checks for inetpub folder integrity and permissions as part of routine maintenance to prevent this vulnerability's exploitation, especially in shared or multi-user environments.
This scenario illustrates the complexity of modern OS security patches—efforts to fix a problem can sometimes open new doors for attack, especially around legacy features like symbolic links and filesystem junctions. It also reinforces key security principles for Windows users and administrators: local access should be tightly controlled, system folders must be protected with strict permissions, and users should be cautious about deleting OS-created folders even if they appear empty.
Ultimately, the inetpub folder acts like a silent guardian of Windows' update process, though one whose gate must be vigilantly watched until a more permanent solution emerges from Microsoft’s security teams.
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
The Security Context: CVE-2025-21204 and the Creation of inetpub
The inetpub folder was introduced as part of a security patch addressing vulnerability CVE-2025-21204, which involved how Windows resolved symbolic links (symlinks) within the Windows Update stack. This vulnerability allowed attackers with local access to create and abuse symlinks that could cause Windows to interact with unintended files or directories. Exploiting this flaw, an attacker might escalate privileges or disrupt system operations by redirecting sensitive file operations.To counter this, Microsoft’s April 2025 update mandates the existence of the inetpub folder as a locked-down directory with strict permissions, creating a controlled environment that prevents unauthorized redirection through symlinks during system updates. Operating with SYSTEM-level privileges, the Windows Servicing Stack treats this directory as trusted and expects to stage update files there safely. Creating a dedicated directory with high restrictions mitigates the risk from symbolic link attacks, effectively acting as a "safe zone" or decoy to manage critical update operations and block redirection attacks.
Microsoft explicitly advises users not to delete this folder. Even though the directory is empty on most systems, its absence could disable the patch’s protective mechanisms, exposing the system again to symbolic link vulnerabilities and possible privilege escalation exploits. Users who mistakenly delete inetpub are encouraged to recreate the folder via enabling IIS through Windows Features or by reinstalling the update to restore the folder correctly with appropriate permissions.
How the inetpub Folder Itself Can Be Exploited
Surprisingly, the inetpub folder creates a new attack vector if misused. The folder's presence alone does not automatically secure the system if local users can manipulate it. Security researcher Kevin Beaumont revealed that non-admin users can exploit this folder by creating a directory junction—a powerful type of reparse point in Windows that effectively acts as a link to another folder or file.Using a command like
mklink /J C:\inetpub C:\Windows\System32\notepad.exe
, a user can replace the inetpub directory with a junction pointing to another target, such as the Notepad executable or any other file. Since the Windows Servicing Stack runs as SYSTEM and trusts the inetpub path, it attempts to stage files into that location during updates. If the directory is a junction pointing elsewhere, update operations fail or roll back because system processes are misdirected to unexpected targets, leading to failed Windows updates.What makes this vulnerability especially concerning is that executing the
mklink /J
command to create junctions in the root C: drive does not require administrator privileges, enabling even limited local users to sabotage updates. This significantly lowers the attack complexity—it only requires local access, no elevated rights, and can cause critical Windows update failures.Implications of This Vulnerability
The ramifications are broad for systems where multiple users share access or where local attacker scenarios are realistic. In environments such as shared offices, labs, or work-from-home setups, any standard user could exploit this technique to lock systems out from receiving updates by corrupting the update staging path.Failed updates mean critical patches and security fixes do not apply, leaving systems vulnerable to other exploits and attacks. Moreover, the resulting error messages from update failures are often vague and non-indicative of a symlink/junction issue, complicating troubleshooting efforts for administrators.
This junction point vulnerability embodies a classic Windows security challenge: trusting symbolic links or junctions without proper validation and ownership checks. Although the patch was intended to fix a symbolic link vulnerability, it inadvertently introduces another symlink-related issue by allowing non-admin tampering with a privileged folder path.
Mitigating the inetpub Junction Exploit Manually
As Microsoft has not yet provided an official fix, users and administrators are advised to harden the inetpub folder permissions manually to prevent unauthorized junction creation or modification:- Navigate to the inetpub folder on the C: drive.
- Right-click the folder, select Properties, then go to the Security tab.
- Click Advanced, disable inheritance, and remove all inherited permissions.
- Add SYSTEM and NT SERVICE\TrustedInstaller explicitly, granting them Full Control.
- Deny write and delete permissions to all other user accounts, including administrators.
mklink /J
targeting inetpub and ensures the Windows Update servicing stack can safely perform its functions.If users encounter update errors after applying these permission changes, they may also need to reset Windows Update components before restoring permissions, ensuring the update infrastructure works without corruption.
The Bigger Picture: Windows Security Approach and User Impact
This inetpub episode highlights a broader trend in maintaining modern operating system security—sometimes the fixes are layered, indirect, and can introduce new edge-case vulnerabilities. Microsoft's solution of creating an otherwise empty folder as a hardened container to manage symbolic link handling is a valid security design. However, the lack of validation for junctions and symlinks on this folder and the ease with which local users can exploit it exposes ongoing challenges in Windows security design.Further, the automatic presence of inetpub—even on machines that do not run IIS—has caused confusion and erroneous assumptions by users, leading to attempts to delete the folder. Since the directory is essential for the patch's security, such deletions undo protections and require manual restoration steps that could burden less technical users.
From an IT management perspective, the silent creation of inetpub underscores the importance of educating users on update changes and the criticality of not removing system folders without clear guidance. Windows updates increasingly embed security features that may initially appear strange or unnecessary but are integral to system integrity.
Administrators should incorporate checks for inetpub folder integrity and permissions as part of routine maintenance to prevent this vulnerability's exploitation, especially in shared or multi-user environments.
Conclusion: Balancing Security Fixes and New Vulnerabilities
Microsoft’s introduction of the inetpub folder as part of CVE-2025-21204 mitigation is a creative security measure, aiming to prevent symbolic link attacks by confining update staging to a secured directory. Yet, the design leaves an exploit avenue for non-admin users to redirect this folder itself using junctions, causing update failures and potential exposure. Until Microsoft issues a patch to validate or restrict junctions on this directory, disabling user write/delete permissions on inetpub is the strongest practical containment method.This scenario illustrates the complexity of modern OS security patches—efforts to fix a problem can sometimes open new doors for attack, especially around legacy features like symbolic links and filesystem junctions. It also reinforces key security principles for Windows users and administrators: local access should be tightly controlled, system folders must be protected with strict permissions, and users should be cautious about deleting OS-created folders even if they appear empty.
Ultimately, the inetpub folder acts like a silent guardian of Windows' update process, though one whose gate must be vigilantly watched until a more permanent solution emerges from Microsoft’s security teams.
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier