Earlier this month, customers found a quite mysterious “inetpub” folder. In addition they seen that nothing dangerous actually occurred in the event that they deleted it, not less than not apparently. Nevertheless, when requested about it, Microsoft cautioned not to take action.

The corporate defined that the folder was mechanically created as a byproduct of the current symlink escalation of privilege flaw it patched with the April 2025 Patch Tuesday updates (Home windows 11 / Home windows 10). The safety vulnerability is tracked beneath CVE-2025-21204.

Symlinks or symbolic hyperlinks, additionally known as smooth hyperlinks, are a kind of hyperlink file that acts as tips that could different information or directories. Therefore, a symlink carries a filesystem path to a corresponding goal file or listing. Nevertheless, they’re additionally weak to exploitation from risk actors as they don’t require elevated privileges.

And, there may be new bother with this seemingly innocent new folder inetpub. Whereas Microsoft rightly patched the difficulty, safety researcher Kevin Beaumont found that the newly launched inetpub folder can let non-administrators completely block Home windows updates by creating one other new symlink.

He explains utilizing the instance of how “mklink/j” command can be utilized to create a listing junction:

Microsoft lately patched CVE-2025–21204, a vuln which permits customers to abuse symlinks to raise privileges utilizing the Home windows servicing stack and the c:inetpub folder.

To repair this, Microsoft precreates the c:inetpub folder on all Home windows methods from April 2025’s Home windows OS updates onwards.

Nevertheless, I’ve found this repair introduces a denial of service vulnerability within the Home windows servicing stack that permits non-admin customers to cease all future Home windows safety updates.

…

So a non-admin consumer can simply do Home windows+R, cmd, after which run:

mklink /j c:inetpub c:windowssystem32notepad.exe

This creates a symlink between c:inetpub and notepad. After that time, April 2025 Home windows OS replace (and future updates, until Microsoft repair it) fail to ever set up — they error out and/or roll again. So that you simply go with out safety updates.

Beaumont provides that he reached out to the MSRC (Microsoft Safety Analysis Middle) group however has not heard again about it. The corporate will most certainly concentrate on the newly launched flaw, although, and can possible launch a subsequent patch for it. We are going to replace when that occurs.