Introduction

In April 2025, Microsoft released a cumulative update for Windows 11 24H2, identified as KB5055523, which introduced an unexpected yet significant change: the creation of an empty "inetpub" folder on the root of system drives such as C:\inetpub. This folder, traditionally associated with Microsoft's Internet Information Services (IIS), appeared on systems without IIS enabled, leading to widespread curiosity and concern within the Windows user and IT professional communities.

This article delves into the background, technical details, and implications of this update, offering insights into why Microsoft deployed this peculiar folder, its connection to a critical security vulnerability (CVE-2025-21204), and the nuances of the related security mitigation strategy.

Background: The Inetpub Folder and Windows Security

Historically, the "inetpub" folder is the default directory for IIS, Microsoft's web server platform. It stores web content, scripts, logs, and administrative files and is typically present only on systems with IIS installed.

However, the April 2025 update fundamentally repurposed this folder's role. By enforcing its creation on all updated Windows 11 systems—regardless of IIS usage—Microsoft leveraged "inetpub" as a strategic security control point designed to counteract a critical vulnerability.

The Critical Vulnerability: CVE-2025-21204

CVE-2025-21204 is a serious security flaw linked to the Windows Process Activation infrastructure, specifically around how Windows Update handles symbolic links (symlinks). Symlinks are file system objects that point to other files or directories. If improperly handled, they can be exploited by attackers to redirect system operations to unauthorized files or directories.

The vulnerability allowed a local attacker (with physical or user-level access) to manipulate symbolic links to escalate privileges or interfere with system files during the update process. This could result in local privilege escalation or compromise of system integrity through unauthorized modifications.

Microsoft’s Security Mitigation: The Inetpub Folder as a Hardened Container

Instead of patching the underlying symbolic link resolution code directly, Microsoft adopted a workaround deployment strategy:

  • An empty "inetpub" folder is pre-created at the root of the system drive.
  • The folder is assigned strict permissions, owned by SYSTEM and TrustedInstaller, limiting unauthorized access and modifications.
  • It acts as a hardened "safe zone" or container, preventing malicious redirection of symbolic links during Windows Update operations.

This folder ensures that no symbolic links can point or redirect Windows servicing operations elsewhere, effectively neutralizing the attack vector. Microsoft explicitly warns users not to delete this folder, as its removal disables the security patch and exposes the system to attack.

If deletion occurs, recommended remediation involves reinstalling the update or toggling the IIS feature via Windows Features to restore the folder.

Emerging Vulnerabilities and Exploit Vectors

Despite the security intent, the inetpub folder introduced a new local vulnerability due to insufficient validation of directory junctions:

  • Security researchers found that any non-admin local user can create a directory junction (a special type of symlink) pointing the inetpub folder to an arbitrary location using a command like:
CODEBLOCK0
  • The Windows servicing stack, running under SYSTEM and treating "inetpub" as a trusted folder without checking if it is a real folder or a junction point, follows the junction to the wrong target.
  • This causes update failures or rollbacks, leading to a denial-of-service (DoS) scenario blocking critical security updates.

This new flaw allows local denial-of-service attacks on Windows Update without requiring administrative privileges, posing a significant risk for system security and stability.

Implications for Users and IT Administrators

  • Do not delete the inetpub folder. Its presence is critical for mitigating CVE-2025-21204.
  • If deletion occurs, restore it promptly by reinstalling the update or enabling IIS.
  • Administrators should consider hardening folder permissions further by disabling inheritance and allowing full control only to SYSTEM and TrustedInstaller accounts, preventing ordinary users from replacing the folder with junctions.
  • Monitor systems for unauthorized manipulation of the inetpub folder.
  • Recognize that modern operating system security sometimes employs unconventional measures, such as empty system folders, to enforce complex protections.

Conclusion

The creation of the empty inetpub folder in Microsoft's April 2025 Windows 11 update (KB5055523) is a remarkable example of layered security architecture leveraging legacy system components in new roles. While it is a critical part of the patch protecting against a high-impact symbolic link vulnerability (CVE-2025-21204), it also underscores ongoing challenges in securing complex OS processes.

Users and administrators must heed Microsoft's guidance to retain this folder and apply appropriate permission configurations to safeguard update integrity. The inetpub folder embodies the evolving interplay between system usability and advanced security in modern Windows environments.

References for Further Reading

  1. Microsoft: Don't delete inetpub folder created from the April 2025 update, it's required - Windows Forum
  2. Windows 11 April 2025 update introduces new security folder ‘inetpub’ | BetaNews
  3. Security researcher Kevin Beaumont on inetpub vulnerability - Twitter/Blog
  4. Microsoft Security Advisory – Patch for CVE-2025-21204
  5. [Technical Analysis of KB5055523 in Security Forums and GitHub Issues]