Ddos 
Image: Kevin Beaumont
Previously, in an effort to patch security vulnerability (CVE-2025–21204) within the Windows operating system, Microsoft began creating an empty folder named inetpub in the system root directory. This directory, traditionally used by Microsoft Internet Information Services (IIS) to store website files, appeared without explanation—prompting many users to assume it was a bug and manually delete it.
However, Microsoft later clarified that this seemingly insignificant folder plays a critical role in the application of security updates. Deleting it disrupts the Windows Update mechanism, thereby preventing further security patches from being installed. Simply recreating the folder manually serves no purpose, as it requires specific permission settings and must be generated automatically by IIS.
The existence of the inetpub folder affects all currently supported versions of Windows, from Windows Server 2008 R2 to Windows 11. Any system that still receives updates must retain this folder with the correct permission structure. Otherwise, update installations may fail and automatically roll back.
Cybersecurity researcher Kevin Beaumont highlighted in a recent blog post that this mechanism—creating a specially permissioned empty folder—contains a critical flaw. Specifically, non-administrator users can exploit this setup without privilege escalation. By altering the folder’s permissions, they can effectively block the installation of future security updates.
Beaumont demonstrated this by using the command prompt to issue the instruction: mklink /j c:\inetpub c:\windows\system32\notepad.exe. This command attempts to create a junction link directing inetpub to the Notepad executable. Once permissions are altered, Windows Update fails to operate correctly.
Because the exploit does not require administrative privileges, malicious actors could easily trick corporate users into executing the command via phishing campaigns. Once executed, the targeted machines would no longer receive security updates—leaving them exposed to future vulnerabilities that attackers could later exploit.
While IT administrators who strictly adhere to security best practices may notice that Windows Update has stopped functioning, others might overlook the anomaly. This oversight could leave entire internal networks defenseless against emerging threats.
In retrospect, Microsoft’s patching method appears inelegant—possibly explaining why the company initially omitted any mention of the inetpub folder in update logs. Disclosing its function would have also equipped adversaries with the knowledge to exploit it.
Kevin Beaumont has reported the vulnerability to Microsoft, but two weeks have passed without acknowledgment. Given the potential security implications of such a crude workaround, Microsoft may eventually revise its update mechanism to eliminate the need for this folder altogether.
In the meantime, users are strongly advised not to delete or alter the inetpub folder or its permissions. If the folder has already been removed, it can be restored by enabling IIS.
Donate