Windows News
Understanding the Inetpub Folder Vulnerability in Windows 11
In April 2025, Microsoft released an important cumulative update for Windows 11 (notably KB5055523) that introduced a seemingly innocuous but critical system folder named INLINECODE0 at the root of the system drive (typically C:\inetpub). This folder, traditionally tied to Microsoft's Internet Information Services (IIS) web server, now appears on almost all Windows 11 machines, even those without IIS installed or enabled.
The Purpose Behind the Inetpub Folder Creation
The creation of the INLINECODE1 folder was part of a security patch addressing a serious vulnerability tracked as CVE-2025-21204. This vulnerability centers around how Windows handles symbolic links (symlinks or junction points) during the Windows Update servicing stack process. Symbolic links are filesystem objects that reference other files or directories.
Attackers with local access could exploit improper symlink handling to misdirect the update stack to unauthorized locations, potentially tampering with system files or elevating privileges without admin rights. Microsoft’s strategy was to introduce the INLINECODE2 folder as a controlled and secured container with strict permissions. This acts as a hardened "safe zone" where the servicing stack safely stages files during update installation, defending against malicious redirection through symbolic links.
The Unexpected Security Risk
Ironically, while this folder was intended to enhance system security, it exposed an unforeseen vulnerability:
- Any user with non-administrative privileges can delete or replace the INLINECODE3 folder with a directory junction (a type of symbolic link) pointing to another location or file.
- For example, attackers could run the command:
mklink /J C:\inetpub C:\Windows\System32\notepad.exe
```
Recommended Permission Settings:Only SYSTEM and NT SERVICE\TrustedInstaller have Full Control; all other users are denied write/delete rights.