A recent Windows security update that creates an ‘inetpub’ folder has introduced a new weakness allowing attackers to prevent the installation of future updates. After people installed this month's Microsoft Patch Tuesday security updates, Windows users suddenly found an "inetpub" folder owned by the SYSTEM account created in the root of the system drive, normally the C: drive. It was strange to see this folder created as it is normally used to hold files associated with Microsoft's Internet Information Service web server, which was not installed on these devices. In an update to a security advisory, Microsoft later confirmed that the C:\inetpub folder was part of a fix for a Windows Process Activation elevation of privilege vulnerability tracked as CVE-2025-21204, with the company warning not to delete the folder. "After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device," confirmed Microsoft. "This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users." However, cybersecurity expert Kevin Beaumont has demonstrated that this folder can be abused to prevent further Windows updates from being installed if it is created a certain way. "I've discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates," Kevin Beaumont. In a new report, Beaumont says that Windows users, even those without administrative privileges, can create a junction between C:\inetpub and a Windows file, like C:\windows\system32\notepad.exe using the following command. mklink /j c:\inetpub c:\windows\system32\notepad.exe A Windows junction is a special type of folder that redirects access to another folder on the ...
First seen: 2025-04-27 12:15
Last seen: 2025-04-27 12:15