I wonder if they were infected with something that was exploiting that CVE?
Edit: Here is another tinfoil theory: the windows security subsystems special cases inetpub to allow all executables. If the path doesn’t exist, attackers can drop binaries in there to bypass security/codesigning etc.
By creating it as SYSTEM, MS is ensuring that it can’t be written to without SYSTEM privs?
Edit: Here is another tinfoil theory: the windows security subsystems special cases inetpub to allow all executables. If the path doesn’t exist, attackers can drop binaries in there to bypass security/codesigning etc. By creating it as SYSTEM, MS is ensuring that it can’t be written to without SYSTEM privs?
Ya, I’d bet on something similar. According to the CVE, the vulnerability is around “Improper link resolution before file access”. My bet is that there is something hardcoded somewhere which assumes the existence of this folder. If it doesn’t exist, this can let the attacker get something in place which then gets executed with SYSTEM permissions, leading to privilege escalation. Not the worst thing in the world, for most users. But, it would be a problem in an enterprise environment where part of the security model is users not having local admin.
Or worse, (tinfoil hat on), they are planning on installing and abusing iis on everyone’s PC. Ad delivery?
I don’t see how this can be a security risk, I really want more details.
Cve: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204
Another possible explanation from Hanlon’s razor: MS is going all-in on vibe coding
Thats not better :(
it’s nothing ‘new’. i have encountered empty inetpub folders frequently, on systems with no business having it in the first place… for years now.
I wonder if they were infected with something that was exploiting that CVE?
Edit: Here is another tinfoil theory: the windows security subsystems special cases inetpub to allow all executables. If the path doesn’t exist, attackers can drop binaries in there to bypass security/codesigning etc. By creating it as SYSTEM, MS is ensuring that it can’t be written to without SYSTEM privs?
Ya, I’d bet on something similar. According to the CVE, the vulnerability is around “Improper link resolution before file access”. My bet is that there is something hardcoded somewhere which assumes the existence of this folder. If it doesn’t exist, this can let the attacker get something in place which then gets executed with SYSTEM permissions, leading to privilege escalation. Not the worst thing in the world, for most users. But, it would be a problem in an enterprise environment where part of the security model is users not having local admin.