Windows: Empty inetpub folder creates a new security problem

[harlan4096]

When Microsoft released the April 2025 security updates for Windows, users from all over the world started to notice that Microsoft's update created an empty folder in the main drive called inetpub.

This led to confusion, as Microsoft was tight lipped initially about the presence of the folder. The official release notes did not include any information about it.

Shortly thereafter, Microsoft revealed that it created the folder on purpose to "increase protection". Users and administrators were encouraged to keep the folder and not tinker with it.

Background information: Microsoft created the folder as a direct response to CVE-2025–21204, which allows attackers to use symlinks to elevate privileges.
It turns out now that the creation of the folder may very well be used by cybercriminals for nefarious purposes.

Security researcher Kevin Beaumont shared information about the issue on Medium. Beaumont discovered that Microsoft's fix "introduced a denial of service vulnerability in the Windows servicing stack".

The details:

• Regular users may abuse the issue to stop all Windows security updates.
  
• It takes a single command to from a regular (non-elevated) prompt to abuse the issue.
  

All that is required is to create a new symbolic link between the inetpub folder and an application like notepad. Symbolic links do not require elevation, which means that attackers do not need to gain elevated access to a system to block future security updates on it.

Continue Reading...