Full Report
Microsoft has found no link between the August 2025 KB5063878 security update and customer reports of failure and data corruption issues affecting solid-state drives (SSDs) and hard disk drives (HDDs). [...]
Analysis Summary
This document summarizes the security incident based on the provided context. Given the nature of the context (a platform notification denying a link between an OS update and hardware failure), the report is structured to reflect an *investigation* into a reported hardware failure rather than a traditional cyber security incident involving malicious actors.
# Incident Report: Alleged SSD/HDD Failure Linked to Windows Update KB5063878
## Executive Summary
Users reported critical failures and data corruption affecting Solid-State Drives (SSDs) and Hard Disk Drives (HDDs) following the installation of the August 2025 Windows 11 24H2 security update (KB5063878). Microsoft conducted an investigation, including internal testing and collaboration with storage partners, and has publicly stated that they found **no link** between the security update and the reported hardware failures. Users experiencing issues are advised to temporarily avoid writing large files to drives over 60% capacity until the root cause is determined.
## Incident Details
- Discovery Date: Approximately the week preceding August 29, 2025 (when Microsoft acknowledged reports).
- Incident Date: August 2025 (Coinciding with KB5063878 release).
- Affected Organization: Affected customers running Windows 11 24H2.
- Sector: Technology/Software Consumer.
- Geography: Global (Initial reports surfaced from Japanese users).
## Timeline of Events
### Initial Access (N/A - Hardware/Software interaction reported)
- Date/Time: August 2025
- Vector: Installation of Windows Security Update KB5063878 (Windows 11 24H2).
- Details: Failures were observed during heavy write operations (writing large files or many files simultaneously) on drives that were over 60% full.
### Lateral Movement (N/A)
- Not applicable; this relates to hardware component failure under specific operational load conditions.
### Data Exfiltration/Impact
- Impact: Hard drive inaccessibility, potential data corruption, drive failure (reported across various models from manufacturers like Corsair, SanDisk, Kioxia).
### Detection & Response
- Date/Time: Last week (prior to Aug 29, 2025) Microsoft acknowledged the reports.
- Response actions taken: Microsoft began collecting user feedback, attempted to reproduce the issue on up-to-date systems, and worked with storage device partners (e.g., Phison).
## Attack Methodology
*Note: This section is mapped based on the reported trigger mechanism rather than malicious TTPs.*
- Initial Access: Software Deployment (KB5063878).
- Persistence: N/A.
- Privilege Escalation: N/A.
- Defense Evasion: N/A.
- Credential Access: N/A.
- Discovery: N/A.
- Lateral Movement: N/A.
- Collection: N/A.
- Exfiltration: N/A.
- Impact: Potential hardware failure mechanism triggered by specific OS update interacting with drive usage (over 60% full) during high write operations.
## Impact Assessment
- Financial: Undisclosed costs related to data loss and potential drive replacements for affected customers.
- Data Breach: Not applicable; the issue relates to drive integrity, not external data theft.
- Operational: Disruption to user environments tied to system/drive inaccessibility following write operations.
- Reputational: Minor negative impact on Windows Update reliability perception until causation was clarified.
## Indicators of Compromise
*Note: Since the context reports a denial of malicious activity, IoCs are limited to contextual triggers.*
- **Network indicators:** None identified.
- **File indicators:** Update KB5063878 (KB5063878).
- **Behavioral indicators:** Heavy write operations and drive utilization exceeding 60%.
## Response Actions
- **Containment measures:** Microsoft advised users with affected drives/conditions to avoid downloading, copying, or writing large files (tens of gigabytes) until the root cause is identified.
- **Eradication steps:** Unknown, as Microsoft stated no link was found. Remediation depends on the ultimate root cause (which may lie with firmware/hardware vendors rather than the update itself).
- **Recovery actions:** Stakeholders (like Phison) are actively working with Microsoft to review affected controllers. Some users reported drives revived after a system reboot.
## Lessons Learned
- **Key takeaways:** Even widely deployed, non-malicious updates can interact unexpectedly with specific hardware configurations (e.g., drive usage percentage, controller type) leading to critical failures.
- **What could have been done better:** Further diligence or targeted testing involving hardware partners prior to mass deployment when concerning feedback patterns emerge.
## Recommendations
- For Windows Users: Users performing large data transfers or massive file writes on Windows 11 24H2 systems should ensure their primary storage drives are below 60% capacity until further clarification is issued.
- For Microsoft: Continue close collaboration with NAND controller makers and drive partners to trace the root cause, regardless of initial telemetry findings.