Windows "inetpub" Security Fix Exploited to Block Future Updates: Technical Analysis

A recent Windows security update designed to mitigate a privilege escalation vulnerability has inadvertently introduced a new attack vector that allows adversaries to block future system updates. The issue stems from the creation of the C:\inetpub folder as part of Microsoft’s patch for CVE-2025-21204, which can be exploited through junction point manipulation to disrupt Windows Update functionality¹.

Executive Summary for Security Leadership

Microsoft’s April 2025 security update (KB5055523) addressed CVE-2025-21204, a symlink-based privilege escalation vulnerability. The fix involved creating C:\inetpub to prevent symlink attacks, but this implementation can be weaponized. Attackers can create a junction point redirecting inetpub to critical system files, causing Windows Update to fail with error 0x800F081F². Notably, this attack requires no administrative privileges and can be performed by standard users or malware.

Vulnerability Chain: Original symlink flaw (CVE-2025-21204) → Microsoft’s inetpub fix → New junction point exploit
Impact: Permanent update blockage until OS reinstallation, rated Medium severity by Microsoft
Exploitation: Simple command execution (mklink /j c:\inetpub c:\windows\system32\notepad.exe)
Current Status: No patch timeline from Microsoft as of 2025-04-26

Technical Mechanism

The security update creates C:\inetpub as a mitigation against symlink attacks targeting IIS directories. However, researchers including Kevin Beaumont discovered that creating a junction point from this folder to any critical system file (e.g., notepad.exe) causes Windows Update to fail during integrity checks³. The junction persists across reboots and remains effective until the operating system is reinstalled.

Testing confirms the attack works reliably across Windows 10 and 11 systems with the April 2025 update installed. The vulnerability is particularly concerning for enterprise environments where non-admin users could execute this attack, either manually or through malware payloads. Microsoft’s lack of immediate response suggests organizations need to implement workarounds⁴.

Detection and Mitigation

Organizations should immediately audit systems for unexpected junction points targeting C:\inetpub. The following PowerShell command can identify malicious junctions:

Get-ChildItem C:\inetpub -Force | Where-Object { $_.Attributes -match "ReparsePoint" }

For affected systems, Microsoft recommends enabling IIS through “Turn Windows Features On/Off” to properly recreate the folder structure. Alternatively, reinstalling KB5055523 may restore the original configuration. Enterprise environments should consider restricting standard users’ ability to create junction points in the root directory⁵.

Security Implications

This vulnerability represents a significant failure in Microsoft’s patch development process, where a security fix introduced new attack surface. The Register notes this marks at least the third instance in 2025 where a Windows security update created additional vulnerabilities⁶. The ease of exploitation combined with the persistent nature of the attack makes this particularly dangerous for organizations with strict patch management requirements.

Security teams should monitor for failed update attempts and investigate systems displaying error 0x800F081F. While Microsoft has classified this as Medium severity, the potential for malware to leverage this technique to maintain persistence on unpatched systems elevates the practical risk.

Conclusion

The inetpub update blocking vulnerability demonstrates how defensive measures can sometimes create new attack vectors. Organizations should implement detection mechanisms for junction point abuse and consider temporary workarounds until Microsoft provides a permanent solution. This incident underscores the importance of thorough security update testing and the need for defense-in-depth strategies that don’t rely solely on patch management systems.