Full Report
Microsoft has released a PowerShell script to help restore an empty 'inetpub' folder created by the April 2025 Windows security updates if deleted. As Microsoft previously warned, this folder helps mitigate a high-severity Windows Process Activation privilege escalation vulnerability. [...]
Analysis Summary
# Vulnerability: Potential Privilege Escalation via Symbolic Link Abuse in Newly Created $Inetpub Folder
## CVE Details
- CVE ID: CVE-2025-21204
- CVSS Score: *Score not specified in the provided text* ([Severity not specified])
- CWE: CWE-59 (Improper Link Resolution or Symbolic Link Following - *Inferred based on technical detail*)
## Affected Systems
- Products: Microsoft Windows (systems where a recent security fix was applied creating the `%systemdrive%\inetpub` folder)
- Versions: Unpatched or specific versions vulnerable to the symbolic link following behavior post-patch deployment.
- Configurations: Targets where a local, low-privileged attacker has access.
## Vulnerability Description
This vulnerability stems from changes implemented in a recent security update (related to CVE-2025-21204) that introduces or modifies the handling of the `%systemdrive%\inetpub` folder. The issue appears to be that Windows Update or other OS components may follow symbolic links within or under this folder structure on unpatched devices, allowing a local, low-privileged attacker to modify unintended files or folders by creating a malicious junction or symbolic link pointing to a critical system location. Successful exploitation allows a low-privileged user to perform file management operations in the context of the `NT AUTHORITY\SYSTEM` account, leading to privilege escalation.
Furthermore, non-admin users have been shown to abuse this by pointing the `C:\inetpub` directory (or a junction within it) to critical Windows Update files, effectively blocking future updates.
## Exploitation
- Status: PoC available (Demonstrated by Kevin Beaumont for update blocking; **Privilege escalation PoC status is not explicitly stated but implied**)
- Complexity: Low (Requires local access for initial manipulation)
- Attack Vector: Local
## Impact
- Confidentiality: High (Successful SYSTEM context file manipulation could lead to access to sensitive data)
- Integrity: High (Ability to modify critical system files/configurations as SYSTEM)
- Availability: High (Can be abused to block Windows Updates, leading to future system degradation or continued exposure to other vulnerabilities)
## Remediation
### Patches
- Microsoft issued an updated advisory for **CVE-2025-21204** warning users *not* to delete the `%systemdrive%\inetpub` folder.
- The advisory implies that the necessary configuration adjustments are part of the existing security fix, but the behavior causing the potential issue (link following) may still be present until further remediation is applied (if the current fix only warned against deletion). **Note: No specific patch version is listed, only a warning about configuration.**
### Workarounds
- **Do not delete the empty `%systemdrive%\inetpub` folder.** Microsoft explicitly states this folder should not be deleted even if IIS is not active, as its presence is part of the increased protection measures.
- Users trying to prevent update blocking must ensure no malicious junction/symbolic link points from `C:\inetpub` to critical Windows files.
## Detection
- **Indicators of Compromise:**
- Unauthorized creation of symbolic links or junctions pointing towards core Windows directories originating from the `%systemdrive%\inetpub` path.
- Observation of blocked Windows Updates on systems immediately following the deployment of the related security fix.
- **Detection methods and tools:**
- File system auditing tools configured to monitor creations/modifications within `%systemdrive%\inetpub`.
- PowerShell/Sysmon tools looking for the creation of Junction Points (`Mklink /J`) or Hard Links pointing to system paths.
## References
- Vendor Advisory: Microsoft advisory for CVE-2025-21204
- Proof of concept/Discussion (Update Blocking): bleepingcomputer com/news/microsoft/windows-inetpub-security-fix-can-be-abused-to-block-future-updates/
- Verification/Context: bleepingcomputer com/news/security/microsoft-windows-inetpub-folder-created-by-security-fix-dont-delete/