Introduction

The recent April 2025 cumulative update for Windows 11 (including KB5055523) has introduced a peculiar new system folder named "inetpub" on the root of the system drive (usually the C: drive). The sudden appearance of this traditionally IIS-associated folder on virtually all Windows 11 systems, including those without Internet Information Services (IIS) enabled, has generated intrigue, confusion, and concern among users and system administrators alike.

This article unpacks the background, purpose, and impact of the inetpub folder in Windows 11, explores its critical role in mitigating a significant vulnerability (CVE-2025-21204), and discusses the paradoxical security implications arising from its presence.

What is the "inetpub" Folder?

Historically, inetpub is the default directory for Microsoft's IIS web server. It contains web server content such as HTML files, logs, scripts, and related resources. Under normal circumstances, this folder is created only on machines where IIS is installed and running.

However, beginning with the Windows 11 April 2025 update, Microsoft mandated the creation of an empty inetpub folder on all Windows 11 systems, irrespective of IIS installation or usage. This folder is owned by SYSTEM and TrustedInstaller accounts with strict permissions that prevent unauthorized user modifications.

Despite being empty, the inetpub folder now serves a vital security purpose beyond its original web hosting association.

Background: The Security Vulnerability CVE-2025-21204

The root cause behind this unexpected folder creation is a critical security flaw—tracked as CVE-2025-21204—in the Windows Update servicing stack. This vulnerability involves improper handling of symbolic links (or symlinks) during file operations.

Symbolic links are special filesystem objects that act as pointers or shortcuts to other files or directories. Maliciously crafted symlinks by an attacker with local access could redirect Windows Update processes to unauthorized files or folders, allowing:

  • Unauthorized file modifications
  • Privilege escalation
  • Tampering with critical system files

In particular, the servicing stack which runs with SYSTEM privileges trusted certain directories like inetpub but failed to robustly verify the nature or ownership of these directories, exposing the system to exploitation via manipulated symlinks or directory junctions.

The Role of the Inetpub Folder in Mitigation

Microsoft's inventive response was to create a hardened, empty inetpub folder with carefully controlled file system permissions. This folder acts as a security container or "safe zone" where Windows Update can safely stage files during update installations.

Key features of this mitigation include:

  • System-owned: Owned exclusively by SYSTEM and TrustedInstaller accounts.
  • Restricted access: Most users lack modification rights, blocking unauthorized changes.
  • Empty and minimal footprint: The folder occupies negligible disk space, containing no active files.
  • Acts as a controlled anchor point: Prevents Windows servicing stack from following malicious symlinks or junctions.

This approach effectively raises the bar against symbolic link exploitation by establishing a trusted environment that the servicing stack operates within, reducing risk from symlink redirection attacks.

The Vulnerability Introduced by Inetpub Itself

Ironically, security researcher Kevin Beaumont discovered a new attack vector involving the same inetpub folder. ANY local user—even without administrative privileges—can:

  1. Delete the legitimate inetpub folder.
  2. Create a directory junction (symlink) at INLINECODE0 pointing to any arbitrary file or directory (e.g., Notepad.exe).

Example command:

CODEBLOCK0

Because the servicing stack blindly trusts `INLINECODE1 ` and does not verify if it is a reparse point or directory junction, this redirection causes Windows Update to malfunction—failing or rolling back updates, resulting in a denial-of-service (DoS) condition against updates.

The exploit does not elevate privileges but can prevent critical updates, exposing the system to other known vulnerabilities by denying patches.

Implications and Recommended Best Practices

For Users and Administrators:

  • Do NOT delete the inetpub folder. Removing it disables the protective mechanism implemented by the April 2025 update and re-exposes systems to CVE-2025-21204.
  • If deleted accidentally, restore the folder by enabling IIS temporarily via "Turn Windows features on or off," which recreates the folder automatically; after which IIS can be disabled if unnecessary.
  • Implement permission hardening on the inetpub folder to restrict creation of directory junctions by non-admin users, mitigating the new exploitation vector until Microsoft patches this loophole.

For Microsoft:

  • An urgent patch is needed to fix servicing stack checks for symbolic links, ownership, and reparse points to fully eliminate this loophole.
  • Continued communication to users about the folder’s importance helps reduce inadvertent deletions and related issues.

Conclusion

The mysterious inetpub folder appearing on Windows 11 in April 2025 is far from a simple artifact—it embodies a sophisticated defense-in-depth measure against a critical symbolic link exploitation vulnerability, CVE-2025-21204.

Though it introduces a novel attack surface through symbolic link redirection, its creation exemplifies the complexity and trade-offs in modern OS security.

Users should preserve this folder and apply recommended permissions restrictions. Administrators and users alike must stay vigilant, understanding that even empty system folders can be linchpins in the ongoing battle for operating system integrity and security.

Maintaining awareness and adherence to Microsoft guidance will help uphold robust security as Windows evolves in a constantly shifting threat landscape.