A recent Windows Security update that creates an ‘Intupb’ folder has introduced a new weakness, allowing the attackers to stop the installation of future updates.
After installing this month’s Microsoft Patch Tuesday security update, Windows users suddenly found the “INTPUB” folder owned by the system account made in the route of the system drive, usually C: drive.
It was strange to see this folder made because it is usually used to keep the Microsoft’s Internet Information Service Web Server files, which were not installed on these devices.
One in an update Security advisorMicrosoft later confirmed that C: \ Intepub folder was part of a fix for a Windows process activation, the activation of privilege vulnerability was tracked as the CVE-2025-21204, the company did not warns to remove the folder.
“After installing an update listed in the security update table for your operating system, a new %Systemdrive %\ \ \ \ in your device will be made,” Confirmed Microsoft,
“This folder should not be deleted regardless of the internet information service (IIS) is active on the target device. This behavior is part of changes that increase security and do not require any action from IT appreciation and final users.”
However, cyber security expert Kevin Buumont has displayed that this folder can be abused to prevent further Windows updates from installing further Windows updates if it is made in a certain way.
Kevin Buumont said, “I have come to know that this fixed denying service vulnerability in the fixed Windows servicing stack, which allows non-opinion users to stop all future Windows security updates.”
In a new report, Says boom He can create a junction between Windows users, even without administrative privileges, C: \ Intepub and a Windows file, such as C: \ Windows \ System32 \ Notepad.exe using the following command.
mklink /j c:\inetpub c:\windows\system32\notepad.exe
A Windows Junction is a special type of folder that redeals access to another folder on the same or another drive, showing that the material is present in both places.
Asked why this junction is preventing the update from being installed, Beomont says that it is because the update expects a folder rather than a file.
“It basically works with any file, I think it’s because the servicing stack C: \ Intepub expects to be a directory – but Mklink allows you to create a junction in a file,” Beumont told Beumont.
As Microsoft DocumentationJunctions mean linking between folders instead of files. However, as you can see from the earlier image in the article, it is still possible to make one as shown in the image below.
Source: Bleepingcomputer
With this junction, if you try to install April Security Update, it will not install it correctly, giving a one. 0x800f081f Error CodeThis code is related to the error “cbs_e_source_missing”, which means that a package or file is not found.
Source: Bleepingcomputer:
Buomont says that he reported to Microsoft who has assigned it a “medium” severity classification and closed his case, saying that they would consider fixing it in future.
“After careful examination, the case is currently given status as a medium severity issue,” Microsoft emails Beom,
“It does not meet the MSRCs current bar for immediate servicing as the update fails to implement only when the ‘INTPUB’ folder is a junction for a file and is successful in removing and recovering the Intpub Symlink.”
Bleepingcomputer also contacted Microsoft about the bug on Wednesday, but has not received any response yet.
