Fortified Central Command
Security Incident

Threat Bulletin

SMBv1 Systems on Life Support after Deploying KB5065426

Alert essentials:

September update KB5065426 for Windows 11 24H2 is causing chaos in networks. Delay deployment until thorough testing can be completed.

EMAIL TEAM

Detailed threat description:

Malicious actors have been targeting networks through compromised Cisco WebVPN sessions since late 2023. ArcaneDoor was a cyber-espionage campaign that primarily targeted Cisco ASA firewalls in critical infrastructure environments from late 2023 to early 2024.

Cisco Talos and PSIRT investigated and identified a previously unknown state-sponsored actor that had developed malware for Cisco ASA. The brand acknowledged that attackers were indeed exploiting these vulnerabilities in the wild to gain control of ASA 5500-X series appliances and released patches in April 2024.

Today, a new wave of attacks against Cisco ASA and Firepower devices is underway, and the campaign is traced to the same threat actor, UAT4356 or STORM-1849. The attackers are leveraging at least two new zero-day vulnerabilities in Cisco ASA software.

CVE-2025-20333 allows remote code execution as root, albeit requiring valid VPN credentials to trigger in some cases. CVE-2025-20362 could be used to bypass authentication and access restricted URLs on the ASA. When chained together, these flaws allow an unauthenticated, remote takeover of vulnerable ASA devices. Permitting a threat actor to directly pivot into an organization, reroute or modify traffic, and monitor network communications.

Additionally, two new malware families used in the latest campaign represent a significant evolution of the threat actors with growing sophistication and stealth. “Rayinitiator” is a persistent boot kit integrated with the device’s bootloader firmware. The boot kit remains after reboots and even ASA software upgrades. “LINE VIPER” is a user-mode payload that slithers into the ASA operating system at runtime.

As with 2024, the 2025 campaign has primarily struck government agencies and critical infrastructure to date. CISA describes the campaign as widespread, resulting in remote code execution and the manipulation of read-only memory that persists through reboots and system upgrades. While CISA’s emergency directive only applies to federal agencies, the private sector often follows these urgent warnings closely.

Organizations should follow CISA’s step-by-step Core Dump and Hunt Instructions, Parts 1-3. If the result is “Compromise Detected,” federal agencies are required to immediately disconnect the device from their network (without powering it off), report the incident to CISA via the Malware Next Gen portal, and collaborate with CISA on incident response and remediation actions.

If the result is “No Compromise Detected” on ASA hardware models with an end-of-support date on or before September 30, 2025, permanently disconnect these devices. These legacy platforms/releases cannot meet current vendor support and update requirements.

Organizations using Cumulative Update KB5065426 was released for Windows 11 24H2 as part of Microsoft’s September Patch Tuesday fixes. The Knowledge Base (KB) contains fixes for a buggy KB5064081 that was released in August, plus a few surprises.

The KB release fixes an issue that caused non-administrators to receive User Account Control (UAC) prompts. It is intended to enable auditing of the SMB client to identify incompatible problems in the environment before deploying hardening measures that the SMB Server, CVE-2025-55234, already supports.

The patch corrects an issue that causes apps to stop responding, and a situation where IIS modules disappear from the IIS Manager. And an audio stutter introduced by KB5063878 is also corrected.

Yet reports are surfacing about unexpected behaviors in Windows 11 24H2 devices after installing KB5065426. The patch and network profiles turn off file and print sharing across networks and switch from private to public. Shared folders are inaccessible even with the correct credentials.

SMBv1/NetBIOS shares become unreachable, deeply impacting legacy NAS devices, embedded printers, and production settings relying on shared folders. Authentication is not working in networks hosting many imaged machines with identical or near-identical SIDs. Repeated credential prompts appear when attempting to connect to known shares, even when the credentials are correct.

Additionally, it is worth noting that two programs that were part of the operating system are being uninstalled when pushing out KB5065426. PowerShell 2.0 and Windows Management Instrumentation Command-Line (WMIC) are discreetly removed yet may still be needed in some networks. Both tools are considered obsolete and should be retired from environments due to their security risks. However, administrators may have appreciated a heads-up before having them automatically uninstalled. To replace both tools, download PowerShell 7.5.
The most prudent course for organizations that depend on file and print sharing is to pause broad installation, run targeted pilots, inventory legacy SMB dependencies, and remediate image/SID issues before deploying the update widely.

Workaround Suggestions from Microsoft are as follows:
Allow insecure guest auth (Registry): For unmanaged devices, creating the registry value AllowInsecureGuestAuth = 1 under HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters can permit legacy guest-based shares to function again — but this re-enables an insecure authentication mode and should be avoided wherever possible

Re-enable SMB 1.0/CIFS (Windows Features): Turn on SMB 1.0/CIFS support in “Turn Windows features on or off” for compatibility with very old devices. This is strongly discouraged long term; SMB1 is insecure and unsupported by modern best practices.

Change machine SIDs on cloned images: If your environment contains cloned machines with identical SIDs (a common imaging mistake), use proper sysprep /generalize or SID-change tools during imaging to ensure unique machine SIDs. Community responders have reported that SID changes (via Sysprep or third-party SID tools) restore share access when the problem is SID-related. This addresses the root cause of cloned fleets and is preferable over enabling insecure protocols. Note: changing SIDs is intrusive and must be done with careful backups and testing

Uninstall the LCU (last resort): Removing the LCU portion has restored functionality in many reported cases, but because the SSU is bundled, rolling back is non-trivial and may not remove all servicing changes. Microsoft documents DISM commands to remove the LCU package name, but warns that SSU components remain. Uninstalling may also remove essential security fixes; balance risk before choosing this option.ASA hardware with an August 31, 2026, end-of-support date, ASAv, or Firepower FTD should download and apply the latest Cisco-provided software updates and apply all subsequent updates via Cisco’s download portal.

Impacts on healthcare organizations:

The most critical impact of this KB could be disrupted patient care if the update causes issues with connectivity or breaks file sharing. Access to EHRs and lab systems may be unavailable, thus delaying reports or access to patient history.

Given these potential outcomes, the best approach is to be cautious and methodical with deployment. Isolate legacy systems and thoroughly test the update before broadly deploying to all systems.

Affected Products / Versions

  • Windows 11 24H2

CVEs

  • CVE-2025-55234 – CWE- 287 – CVSS 8.8

[KB (if applicable)]

  • KB5065426
  • KB5064081
  • KB5063878

Recommendations

Engineering recommendations:

  • Pause updates for at-risk endpoints and schedule a staged test ring
  • Inventory your estate for: legacy SMBv1 devices, imaged/cloned endpoints (same machine SID), and critical printers/NAS appliances. Use PsGetSid from PSTools to detect duplicate SIDs if needed
  • Isolate Legacy Devices: Place any temporarily re-enabled SMB1 or guest-auth devices on an isolated VLAN, restrict inbound access, and document exceptions for later removal
  • If legacy devices must be supported temporarily, document and apply the minimum required insecure workaround (e.g., AllowInsecureGuestAuth registry, SMB1) and place those devices on an isolated VLAN with tight firewall rules. Revoke these exceptions as soon as possible
  • In a lab, install KB5065426 on representative hardware and reproduce the issue. Verify Event Viewer channels: SMBClient /SMBServer Operational logs and Security log for Event ID 4625 for related authentication failures
  • Reboot and validate: After installing, verify Settings → Network & Internet → [network] → set to Private, re-enable Network Discovery and File and Printer Sharing under Advanced Sharing Settings, and restart both the server and client machines
  • If cloning/SID issues are present, plan a sysprep/regenerate-SID remediation rather than enabling insecure fallbacks. Create and test images with sysprep /generalize to ensure unique SIDs
  • Fix Imaging: If you use imaging/cloning, ensure every deployed image runs sysprep /generalize or a sanctioned provisioning process that generates unique machine SIDs. This prevents duplicate-SID authentication failures exposed by the update.
  • If rolling back the update is necessary, remove only the LCU via DISM and follow Microsoft’s guidance for package names and removal; maintain backups and a plan to reapply security patches once a fix is available

Leadership / Program recommendations:

  • The most prudent course for organizations that depend on file and print sharing is to pause broad installation, run targeted pilots, inventory legacy SMB dependencies, and remediate image/SID issues before deploying the update widely
  • If you manage Windows endpoints at scale, prioritize staged rollouts, SMB auditing, and firmware/PKI readiness as part of an integrated remediation plan; these steps reduce the likelihood you’ll face the very outages this update has uncovered while preserving the hardening gains Microsoft is trying to deliver

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References:

Share

Back To All
Contact Us
Fortified Central Command
Security Incident