A latest Windows safety replace that creates an ‘inetpub’ folder has launched a brand new weak point permitting attackers to forestall the set up of future updates.
After individuals put in this month’s Microsoft Patch Tuesday safety updates, Windows customers all of the sudden discovered an “inetpub” folder owned by the SYSTEM account created within the root of the system drive, usually the C: drive.
It was unusual to see this folder created as it’s usually used to carry information related to Microsoft’s Internet Information Service net server, which was not put in on these units.
In an replace to a safety advisory, Microsoft later confirmed that the C:inetpub folder was a part of a repair for a Windows Process Activation elevation of privilege vulnerability tracked as CVE-2025-21204, with the corporate warning to not delete the folder.
“After putting in the updates listed within the Security Updates desk to your working system, a brand new %systemdrivepercentinetpub folder will probably be created in your gadget,” confirmed Microsoft.
“This folder shouldn’t be deleted no matter whether or not Internet Information Services (IIS) is lively on the goal gadget. This conduct is a part of modifications that enhance safety and doesn’t require any motion from IT admins and finish customers.”
However, cybersecurity professional Kevin Beaumont has demonstrated that this folder may be abused to forestall additional Windows updates from being put in whether it is created a sure approach.
“I’ve found this repair introduces a denial of service vulnerability within the Windows servicing stack that permits non-admin customers to cease all future Windows safety updates,” Kevin Beaumont.
In a brand new report, Beaumont says that Windows customers, even these with out administrative privileges, can create a junction between C:inetpub and a Windows file, like C:windowssystem32notepad.exe utilizing the next command.
mklink /j c:inetpub c:windowssystem32notepad.exeA Windows junction is a particular sort of folder that redirects entry to a different folder on the identical or one other drive, making it seem as if the content material exists in each areas.
When requested why this junction is stopping the replace from being put in, Beaumont says he believes it is as a result of the replace expects a folder slightly than a file.
“It works with mainly any file, I believe it is as a result of the servicing stack expects c:inetpub to be a listing – however mklink lets you make a junction to a file,” Beaumont informed BleepingComputer.
According to Microsoft’s documentation, junctions are supposed to be hyperlinks between folders slightly than between information. However, as you possibly can see from the picture earlier within the article, it’s nonetheless doable to create one as proven within the picture beneath.
Source: BleepingComputer
With this junction created, in case you try to put in the April safety replace, it is not going to set up accurately, giving a 0x800F081F error code. This code is expounded to the error “CBS_E_SOURCE_MISSING,” which suggests a package deal or file was not discovered.
Source: BleepingComputer:
Beaumont says he reported the bug to Microsoft, who has assigned it a “Medium” severity classification and closed his case, stating they are going to take into account fixing it sooner or later.
“After cautious investigation, this case is at present rated as a Moderate severity difficulty,” Microsoft emailed Beaumont.
“It doesn’t meet MSRCs present bar for rapid servicing because the replace fails to use provided that the ‘inetpub’ folder is a junction to a file and succeeds upon deleting the inetpub symlink and retrying.”
BleepingComputer additionally contacted Microsoft about this bug on Wednesday however has not acquired a response but.