Windows: Empty inetpub folder creates a new security problem
When Microsoft released the April 2025 security updates for Windows, users from all over the world started to notice that Microsoft's update created an empty folder in the main drive called inetpub.
This led to confusion, as Microsoft was tight lipped initially about the presence of the folder. The official release notes did not include any information about it. Shortly thereafter, Microsoft revealed that it created the folder on purpose to "increase protection". Users and administrators were encouraged to keep the folder and not tinker with it.
Background information: Microsoft created the folder as a direct response to CVE-2025–21204, which allows attackers to use symlinks to elevate privileges.
It turns out now that the creation of the folder may very well be used by cybercriminals for nefarious purposes.
Security researcher Kevin Beaumont shared information about the issue on Medium. Beaumont discovered that Microsoft's fix "introduced a denial of service vulnerability in the Windows servicing stack".
The details:
- Regular users may abuse the issue to stop all Windows security updates.
- It takes a single command to from a regular (non-elevated) prompt to abuse the issue.
All that is required is to create a new symbolic link between the inetpub folder and an application like notepad. Symbolic links do not require elevation, which means that attackers do not need to gain elevated access to a system to block future security updates on it.
Note: The command given by Beaumont on the website seems wrong as mklink /j is used to create junction links that link to a directory and not a file. Unless I'm missing something, it needs to either do away with /j to create a symbolic link or /h to create a hard link. Whether that is also going to block Windows updates is unclear though.
Once run, Windows security updates will no longer install on the target machine according to Beaumont. They will throw an error and roll back. Cybercriminals may use the hack to prevent future security update installs, which may fix security issues that they use to attack systems.
Beaumont says that the only way to resolve this issue is for Microsoft to fix it. He reported the issue to Microsoft but claims that Microsoft has not responded yet.
For this vulnerability to be exploited, cybercriminals need to gain regular access to a Windows machine. All common ways of protecting Windows apply to prevent this from happening, including making sure that Windows is up to date, not installing software from questionable sources, or allowing others to establish remote connections to the system.
Now You: what is your take on this? Would you say that Microsoft needs to be transparent when it comes to making these unannounced changes to Windows? Feel free to leave a comment down below.
I don’t understand why the Microsoft Team is so amazing lazy and bad.
Make Windows Great Never.
“For this vulnerability to be exploited, cybercriminals need to gain regular access to a Windows machine. All common ways of protecting Windows apply to prevent this from happening, including making sure that Windows is up-to-date, not installing software from questionable sources, or allowing others to establish remote connections to the system.”
So what’s the issue? A vulnerability exists; however, it can’t be exploited unless someone from somewhere who isn’t known by anyone in the company [or home] walks in and gains regular access to all the computers in the building or home. Remote with strangers seems like an odd thing to do.
PC: [full screen advert] Thank you for your purchase at Best Buy! If you didn’t make this purchase, call us at [number].
IGNORANT COWORKER: Oh no, I better call them because I didn’t make a purchase! [calls]
SCAMMER: Hi IGNORANT COWORKER, we detected something was wrong on your computer and it must have made a purchase for you. Please allow us to connect to your computer and see what happened.
IGNORANT COWORKER: OH OK. [access granted. vulnerability exploited.]
—-
Yes, it requires regular access to the computer, but if Microsoft can’t account for the fact that many of their users are not bright, which is something they are actively exploiting and abusing themselves, then they failed to protect even their own exploits.