Windows "security related inetpub" creates a vulnerability blocking future security updates
Take action: It seems that Microsoft has decided to make a dumb workaround in a security patch with the inetpub folder and then to assume only a "happy path" for users - that the inetpub folder "does not require any action from IT admins and end users". But they seem to forget that attackers will use this very same method to block compromised computers from getting new patches.
Learn More
One of the Microsoft latest security patches for CVE-2025-21204 created a new security issue. The April 2025 security update creates an 'inetpub' folder in the root of the system drive (typically C:) as part of the fix. This folder, which is owned by the SYSTEM account, is normally associated with Microsoft's Internet Information Service web server. The patch created the folder even though IIS may not be installed on affected devices.
Microsoft has confirmed that this C:\inetpub folder is an intentional part of the security fix and warned users not to delete it regardless of whether Internet Information Services is active on the device. According to Microsoft's advisory, "This behavior is part of changes that increase protection and does not require any action from IT admins and end users."
Cybersecurity expert Kevin Beaumont has discovered that this folder can be abused to prevent future Windows updates from being installed. Beaumont reports that Windows users, even those without administrative privileges, can create a junction (a special type of folder redirection) between C:\inetpub and a Windows file, such as notepad.exe, using a simple command:
mklink /j c:\inetpub c:\windows\system32\notepad.exeThis junction causes future Windows security updates to fail installation with a 0x800F081F error code (CBS_E_SOURCE_MISSING), effectively preventing critical security patches from being applied. Beaumont explains that the issue likely occurs because "the servicing stack expects c:\inetpub to be a directory," but the junction makes it point to a file instead.
Beaumont reported this vulnerability to Microsoft approximately two weeks ago. Microsoft has classified it as a "Medium" severity issue and informed Beaumont they will consider fixing it in the future. According to Microsoft's response: "It does not meet MSRC's current bar for immediate servicing as the update fails to apply only if the 'inetpub' folder is a junction to a file and succeeds upon deleting the inetpub symlink and retrying."
