Critical Warning: Do Not Delete the New Inetpub Folder on Windows

TL;DR

• Microsoft’s April 2025 Patch Tuesday update introduces a new inetpub folder to address CVE-2025-21204.
• Deleting this folder can compromise your system’s security.
• The folder protects against privilege escalation vulnerabilities and should be left intact.

Introduction

In the latest April 2025 Patch Tuesday update, Microsoft has introduced a critical security measure that users must be aware of. The update creates a new inetpub folder on Windows devices to mitigate the vulnerability CVE-2025-21204. This article explains why this folder is essential and why users should not delete it¹.

Understanding the April 2025 Patch Tuesday Update

As part of the April 2025 Patch Tuesday updates, Microsoft released a patch to address a “link following flaw” in the Windows Update Stack. This patch creates a new folder located at %systemdrive%\inetpub on the device¹.

User Concerns and Clarifications

Users who noticed the new folder have expressed concerns about its origin and purpose. Since the inetpub folder is generally associated with Internet Information Services (IIS), a feature that most users do not utilize, its appearance has led to questions and confusion.

Internet Information Services (IIS) is a web server platform developed by Microsoft to host websites, web applications, and services on Windows systems. Although IIS is not installed by default, it can be enabled through the Windows Features dialog¹.

Microsoft’s Official Statement

Microsoft has clarified the purpose of the new inetpub folder in their update notes:

“This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”¹

Vulnerability Details: CVE-2025-21204

CVE-2025-21204 is a vulnerability that, if successfully exploited, allows an authenticated attacker to elevate privileges locally. According to Microsoft:

“An authenticated attacker who successfully exploits this vulnerability gains the ability to perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITY\SYSTEM account.”²

The “link following flaw” occurs when the product attempts to access a file based on its filename but fails to prevent the filename from identifying a link or shortcut that resolves to an unintended resource¹.

Mitigation Measures

To mitigate this vulnerability, denying access to a file can prevent an attacker from replacing it with a link to a malicious file. This can be achieved by assigning appropriate file or folder permissions. When setting permissions for a folder, users can specify what actions are allowed, such as limiting access to “Read-only,” which permits opening and reading files but not adding or editing them¹.

Conclusion

In summary, the new inetpub folder is a critical security measure introduced by Microsoft to protect against the CVE-2025-21204 vulnerability. Users should not delete this folder, as it plays a crucial role in enhancing system security.

Additional Resources

For further insights, check:

• CVE-2025-21204 Details
• Microsoft April 2025 Patch Tuesday
• Reddit Discussion on Inetpub Folder

References

1. Threatdown (2025). “April’s patch Tuesday”. Threatdown. Retrieved 2025-04-14. ↩︎ ↩︎² ↩︎³ ↩︎⁴ ↩︎⁵ ↩︎⁶

2. Mitre (2025). “CVE-2025-21204”. Mitre. Retrieved 2025-04-14. ↩︎