Microsoft WSUS Patch Disables Windows Server Hotpatching
▼ Summary
– An emergency security update (KB5070881) for a critical WSUS vulnerability (CVE-2025-59287) has broken hotpatching on some Windows Server 2025 devices.
– The vulnerability is a remote code execution flaw that was actively exploited, prompting urgent patches and a U.S. government directive to secure systems.
– Microsoft has stopped offering the problematic update to hotpatch-enrolled devices and provided an alternative update (KB5070893) that patches the flaw without disrupting hotpatching.
– Devices that installed the faulty update will lose hotpatch enrollment until January 2026 and must use regular security updates requiring restarts.
– Microsoft also disabled the display of synchronization error details in WSUS error reporting as part of addressing the vulnerability.
A recent emergency security update from Microsoft, designed to fix a critical vulnerability in Windows Server Update Services, has inadvertently disrupted the hotpatching functionality on certain Windows Server 2025 installations. This development forces affected systems to rely on conventional security updates that require a system restart, potentially increasing operational downtime for administrators.
The update in question, KB5070881, was issued urgently to counter CVE-2025-59287, a severe remote code execution flaw confirmed by multiple cybersecurity firms to be under active exploitation. The Netherlands National Cyber Security Centre validated these reports, emphasizing the heightened danger since a functional proof-of-concept exploit is already circulating. Shortly after, the U.S. Cybersecurity and Infrastructure Security Agency mandated that federal agencies apply the patch, adding the vulnerability to its list of actively exploited security flaws. Internet monitoring by the Shadowserver group identified more than 2,600 WSUS instances with their default ports accessible online, though the exact number of patched systems remains unclear.
Microsoft has since revised its support documentation for KB5070881, acknowledging that a small subset of Hotpatch-enrolled Windows Server 2025 systems lost their enrollment status after installing this out-of-band update. The company clarified that the problematic update was only briefly available to hotpatch-enabled machines before the issue was identified and corrected. Microsoft has now blocked the distribution of KB5070881 to Hotpatch-enrolled Windows Server 2025 devices. For systems that already installed it, hotpatch updates for November and December 2025 will be unavailable. These devices will instead receive standard monthly security updates requiring a restart and will rejoin the hotpatching schedule after installing the planned baseline update scheduled for January 2026.
Fortunately, administrators who have downloaded but not yet deployed the faulty update have a straightforward solution. They can install the KB5070893 security update, released one day after KB5070881, which resolves the CVE-2025-59287 vulnerability without impacting hotpatching capabilities. To obtain this corrected update, users should navigate to Settings, select Windows Update, choose to pause updates, then unpause and perform a new update scan. Microsoft confirms that Hotpatch-enrolled machines installing KB5070893 will remain on the hotpatch update track and continue receiving non-restart updates in November and December. Only systems with WSUS enabled will need to restart after applying KB5070893.
As part of its response to the CVE-2025-59287 RCE vulnerability, Microsoft has also disabled the display of synchronization error details within WSUS error reporting. This incident follows other recent Windows update complications, including a acknowledged bug that prevented users from closing the Windows 11 Task Manager after installing an optional October 2025 update. Microsoft has also resolved issues with the Windows 11 Media Creation Tool and fixed 0x800F081F update errors that had troubled Windows 11 24H2 systems since January.
(Source: Bleeping Computer)
