Full Report
Microsoft has now confirmed that an April 2025 Windows security update is creating a new empty "inetpub" folder and warned users not to delete it. [...]
Analysis Summary
# Incident Report: Windows Update Stack Vulnerability Leading to System Folder Creation
## Executive Summary
This incident is not a traditional security breach but rather an unintended consequence of applying a Microsoft security update addressing a critical Windows Update Stack vulnerability ($\text{CVE-2025-21204}$). The update inadvertently creates a new, empty `C:\inetpub` folder on affected systems. Deleting this folder can cause subsequent cumulative updates to fail. Microsoft confirmed this behavior is intended to "increase protection" but provided limited details on its mechanism, warning administrators not to remove the directory.
## Incident Details
- **Discovery Date:** Around the time of the April cumulative updates deployment.
- **Incident Date:** Concurrent with the deployment of the security update addressing CVE-2025-21204.
- **Affected Organization:** All organizations deploying the Windows update addressing $\text{CVE-2025-21204}$ (Windows systems).
- **Sector:** Universal (Applies to all Windows-using sectors).
- **Geography:** Universal.
## Timeline of Events
### Initial Access
* **Date/Time:** Not applicable (This is an update deployment issue, not an external intrusion).
* **Vector:** Deployment of Microsoft's security update addressing $\text{CVE-2025-21204}$ (Windows Update Stack vulnerability).
* **Details:** The installation process related to fixing $\text{CVE-2025-21204}$ automatically created the `%systemdrive%\inetpub` folder.
### Lateral Movement
* Not applicable.
### Data Exfiltration/Impact
* **Impact:** Potential failure of subsequent cumulative updates if the newly created `inetpub` folder is deleted. The vulnerability addressed ($\text{CVE-2025-21204}$) involved improper link resolution ($\text{'link following'}$), which could allow local attackers to perform file management operations as `NT AUTHORITY\SYSTEM`.
### Detection & Response
* **How it was discovered:** Users and administrators observed the unexpected creation of the `C:\inetpub` folder post-update installation, and subsequent failures of new updates when the folder was manually removed.
* **Response actions taken:** Microsoft issued an advisory explicitly warning IT admins and end-users *not* to delete the newly created `%systemdrive%\inetpub` folder, stating it is part of changes that "increase protection."
## Attack Methodology
This section describes the vulnerability being patched, as the "incident" is the patch deployment behavior.
- **Initial Access:** Not applicable (Exploitation requires low-privileged local access).
- **Persistence:** Not applicable.
- **Privilege Escalation:** The vulnerability ($\text{CVE-2025-21204}$) allowed **low-privileged local attackers** to escalate permissions to the context of the `NT AUTHORITY\SYSTEM` account.
- **Defense Evasion:** Not applicable.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Successful exploitation allowed attackers to perform and/or manipulate file management operations on the victim machine as SYSTEM.
## Impact Assessment
- **Financial:** Unknown (Implied operational cost of investigating the folder creation and troubleshooting update failures).
- **Data Breach:** None directly caused by the folder creation, but the underlying vulnerability allows for potential SYSTEM-level file manipulation.
- **Operational:** Potential operational disruption due to cumulative updates failing if administrators mistakenly remove the required `inetpub` folder.
- **Reputational:** Minor disruption caused by unexpected file system alteration following a security patch.
## Indicators of Compromise
As this is a benign side effect of a patch, technical IOCs are not relevant for an active intrusion.
- **Network indicators:** None relevant.
- **File indicators:** The creation of an empty folder at `%systemdrive%\inetpub`.
- **Behavioral indicators:** None relevant outside of the update installation process.
## Response Actions
Since the issue originated from Microsoft remediation efforts, the primary actions were investigative and informational:
- **Containment measures:** None required for the directory creation itself.
- **Eradication steps:** None suggested; deletion is actively discouraged.
- **Recovery actions:** System administrators are advised to leave the folder intact to ensure future update fidelity.
## Lessons Learned
- Security fixes, especially those related to core system processes like the Update Stack, can introduce unexpected side effects in the file system that require immediate clarification.
- The mechanism by which the newly created folder aids in the protection against $\text{CVE-2025-21204}$ remains unclear, highlighting a gap in immediate post-deployment transparency regarding security control implementation.
## Recommendations
- **Prevention measures for similar incidents:** IT teams should review Microsoft advisories thoroughly after patch deployment, especially concerning unexpected file system changes, before implementing internal cleanup sweeps.
- **Future Patch Validation:** Prioritize testing cumulative updates in non-production environments to observe any unusual artifacts or unexpected system behavior before broad deployment.