Introduction

With the April 2025 cumulative update (notably KB5055523 for Windows 11 24H2 and corresponding updates for Windows 10), many users have noticed the unexpected creation of the INLINECODE0 folder on the root of their system drives, typically INLINECODE1 . Traditionally associated with Microsoft's Internet Information Services (IIS) web server, this folder has sparked widespread attention and debate, particularly around its security implications.

Far from being a mere leftover or bug, the creation of this folder is a deliberate, security-centric move by Microsoft to mitigate a critical vulnerability tracked as CVE-2025-21204, related to the handling of symbolic links (symlinks) in the Windows servicing stack, which manages Windows Update operations.

Background: What is the inetpub Folder?

The INLINECODE2 folder traditionally serves as the default directory for IIS web content, containing web applications, logs, scripts, and administrative files necessary for hosting websites on Windows servers. It historically only exists on systems where IIS is installed and enabled.

However, with the April 2025 update, Microsoft mandated its creation even on systems without IIS or web services running. This move aims to provide a hardened, trusted container that guards Windows Update servicing processes against symlink-based exploits.

The Security Vulnerability: CVE-2025-21204

Symbolic links are filesystem objects that point to other files or directories, often acting like shortcuts. Improper handling of these by privileged system components can be exploited to redirect critical file operations to malicious or unintended targets.

The vulnerability CVE-2025-21204 involves the Windows servicing stack running with SYSTEM-level privileges, which treats the INLINECODE3 folder as a trusted directory but does not verify whether this folder is a standard directory or a reparse point (such as a directory junction or symbolic link), nor does it robustly check folder ownership and permissions.

Exploitation Scenario

A local attacker with non-administrative privileges (i.e., no need for elevated rights) or physical access can delete or replace the INLINECODE4 folder with a directory junction pointing to arbitrary files or directories. For example:

CODEBLOCK0

This command would redirect servicing stack operations intended for INLINECODE5 to point instead to INLINECODE6 .

When Windows Update attempts to stage or write update files, it would reference the wrong target, causing update failures, rollbacks, or denial-of-service. This exploit vector also opens the door to privilege escalation or disruption of system patching processes.

Microsoft's Security Rationale

The intentional creation of the INLINECODE7 folder acts as a "digital moat" or decoy container, within which the Windows servicing stack can safely operate without risk of symlink redirection attacks. It is a controlled environment with restricted permissions, assigned only to SYSTEM and TrustedInstaller accounts, preventing typical users from manipulating it.

Microsoft explicitly instructs users not to delete the INLINECODE8 folder as its removal disables the protections the update aims to enforce.

Emerging Exploit and Ongoing Risk

Despite this design, researcher Kevin Beaumont demonstrated that the lack of verification for symbolic links and ownership allows local users to bypass protections by substituting the folder with a junction, creating a vulnerability out of a security fix.

The servicing stack’s blind trust in the INLINECODE9 folder's nature means it could unwittingly follow malicious directory junctions, hampering updates and system security.

Mitigation: Hardening inetpub Folder Permissions

Until Microsoft releases a direct patch addressing this symlink redirection vulnerability, system administrators and security-conscious users can manually harden the INLINECODE10 folder's security permissions:

  1. Right-click on the INLINECODE11 folder in the root of the system drive (usually INLINECODE12 ) and select Properties.
  2. Go to the Security tab and click Advanced.
  3. Click Disable inheritance and choose Remove all inherited permissions.
  4. Add permissions explicitly for:
  • INLINECODE13 account with Full control
  • INLINECODE14 account with Full control
  1. Remove all other user accounts, including Administrators and standard users, from having write or delete permissions.
  2. Confirm and apply the changes.

This procedure prevents non-system users, including administrators without SYSTEM privileges, from creating malicious symbolic links or directory junctions that replace the INLINECODE15 folder.

If needed, these permission changes can be reversed by re-enabling inheritance.

Implications and Broader Lessons

  • Complex defense layering: Modern operating system security increasingly relies on layered, sometimes opaque, protection mechanisms that require a balance between usability and defense.
  • Legacy features as security tools: Repurposing IIS-related folders as security containers illustrates innovative use of existing infrastructure, though with unforeseen complications.
  • Non-admin threat vectors: The vulnerability showcases risks even from non-elevated users, emphasizing the importance of least privilege and accurate permission models.
  • Update integrity importance: The servicing stack’s role as a privileged updater is highlighted as a critical security focal point requiring continuous scrutiny.

Conclusion

The introduction of the INLINECODE16 folder on Windows 10 and 11 systems post-April 2025 update is a nuanced security measure designed to thwart symbolic link exploitation in Windows Update servicing. However, the method's initial implementation exposed a new avenue for local attackers via directory junction manipulation.

Until Microsoft releases a comprehensive fix, users and administrators must follow recommended permission hardening steps to protect their systems from potential disruption or escalation risks arising from this folder.

Continued vigilance and rapid adaptation are essential as Windows evolves its defense strategies against increasingly sophisticated local and systemic threats.