Last April, Windows 11 users noticed that a new "inetpub" folder had appeared on their system drives (usually the C: drive), without warning or explanation. This empty folder was created as part of the Windows 11 24H2 (KB5055523) update, which caused a stir online. Initially, many thought it was a harmless bug and could be safely deleted. However, Microsoft later clarified that this folder was intentionally created and is part of a fix for a security vulnerability (CVE-2025-21204) in the Windows update stack.
While Microsoft's initial explanation calmed users, new findings by cybersecurity expert Kevin Beaumont paint the folder as a new threat. The "inetpub" folder is a default directory used by Microsoft's Internet Information Services (IIS), but it has also appeared on systems without IIS installed. According to Beaumont's research, this folder presents a "denial of service" (DoS) vulnerability that allows users with limited access to block Windows security updates.
Read Also: Cyberpunk 2077 on Nintendo Switch 2 changes gaming with Nvidia DLSS
The vulnerability, CVE-2025-21204, is an issue that allows attackers to modify system files or folders with elevated permissions by abusing "symbolic links" (symlinks). While Microsoft's patch was intended to prevent this exploit, Beaumont revealed that a simple junction script that points C:\inetpub to another file, such as notepad.exe, can fail or roll back Windows updates. This could leave systems without future security patches, opening the door to serious attacks.
These findings highlight the irony of Microsoft's security strategy. Although the "inetpub" folder was intended to fix a local issue, Beaumont's research suggests that it could open a door for external attackers to exploit. Beaumont reported the issue to Microsoft's Security Research Team (MSRC) two weeks ago, but has yet to receive an official response. Microsoft's past behavior, including its history of quietly patching similar issues, suggests that a fix may be coming soon.
Read Also: Qualcomm vs. Arm legal battle to return to court in 2026
Currently, there are no official guidelines for mitigating this vulnerability, but users are advised to exercise caution. The main recommendations are to always keep the system up to date, avoid downloading malicious software, and avoid deleting the "inetpub" folder. Deleting the folder may cause complications with future updates and will remove security protection against CVE-2025-21204.
Windows 11's "inetpub" folder has gone from a mystery to a potential security threat. The question now is how Microsoft will address this issue. For users, the best course of action is to remain cautious and wait for further clarification from the company.