Microsoft Patch Attempt Backfires, Creates New Windows Vulnerability

In an unexpected turn of events, a recent Microsoft Windows Update intended to patch a security hole appears to have inadvertently created a new one. The update, designed to fix a vulnerability that could allow attackers to gain higher privileges on a system, is reportedly creating the folder “inetpub” on the system drive and, in doing so, opening up a fresh security concern.

This discovery comes courtesy of a respected IT security researcher, highlighting how complex patching operating systems can be.

The Glitch Uncovered

The findings were shared in detail via a blog post by Kevin Beaumont, an IT security specialist known for uncovering system quirks and vulnerabilities. The Microsoft patch in question was released during the April “patch day” and targeted a vulnerability tracked under the identifier CVE-2025-2104. This specific flaw related to how the system handles links, often referred to as “link following,” which attackers could potentially misuse.

However, instead of solely closing the loop on the original issue, the update’s side effect of creating the “inetpub” folder seems to have introduced instability.

A Deep Dive into Technical Troubles

The core of the new problem appears linked to a long-standing Windows feature: directory junctions. These have been a part of Windows since version 2000 and function like advanced shortcuts, allowing one directory to act as an alias for another. For example, a junction might make D:\Win point to C:\Winnt\System32. Accessing a subfolder like D:\Win\Drivers would then redirect to C:\Winnt\System32\Drivers.

Beaumont points out a crucial detail: even users without full administrator rights can create these directory junctions on the main C: drive.

How the Update Process Gets Stuck

Using a simple command like mklink /j c:\inetpub c:\windows\system32\notepad.exe, a user (even a non-admin) can create a junction that links the expected location of the “inetpub” folder to something else entirely, like the notepad.exe file.

When the April Windows Update (or potentially future updates, according to Beaumont) tries to install, it encounters this unexpected junction at the c:\inetpub path. This confusion causes the installation process to fail, often triggering a rollback of the update. The result? The necessary security patches aren’t applied, leaving the system vulnerable to the original flaws the update was meant to fix, as well as other issues.

This situation is particularly concerning as malicious actors could potentially exploit this behavior to prevent critical security updates from being installed on targeted systems, leaving them exposed.

Beaumont mentioned reaching out to Microsoft about his findings over two weeks prior to going public but had not yet received a response.

Last week, reports surfaced about the “C:\inetpub” folder appearing unexpectedly on Windows systems where the Microsoft web server software, Internet Information Services (IIS), was not even installed or active. Microsoft issued a statement regarding this specific folder’s appearance, advising users not to delete it, stating: “This folder should not be deleted, regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of any changes that increase protection, and does not require action from IT administrators and end users.” While this explains the folder’s presence, it doesn’t fully address the directory junction vulnerability Beaumont highlighted that prevents updates.