An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices.
KB5070881, the emergency update causing this issue, was released on the same day that several cybersecurity companies confirmed the critical-severity CVE-2025-59287 remote code execution (RCE) flaw was being exploited in the wild. The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the companies' findings, warning IT admins of the increased risk given that a PoC exploit is already available.
Days later, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to secure their systems after adding it to its catalog of security flaws that have been abused in attacks. The Shadowserver Internet watchdog group is now tracking over 2,600 WSUS instances with the default ports (8530/8531) exposed online, although it didn't share how many have already been patched.
However, in an update to the original KB5070881 support document, Microsoft says that some of the Hotpatch-enrolled Windows Server 2025 systems have now lost their hotpatch enrollment status after receiving the OOB update that addresses the CVE-2025-59287 vulnerability.
"A very limited number of Hotpatch-enrolled machines received the update before the issue was corrected. The update is now offered only to machines that are not enrolled to receive Hotpatch updates," Microsoft says. "This issue only impacts Windows Server 2025 devices and virtual machines (VMs) enrolled to receive Hotpatch updates."
Microsoft has stopped offering the KB5070881 update to Hotpatch-enrolled Windows Server 2025 devices, and states that those who have already installed it will no longer receive Hotpatch updates in November and December.
They will instead be offered the regular monthly security updates, which will require a restart, and will join the hotpatching rollout after installing the planned baseline for January 2026.
New security update doesn't break hotpatching
Luckily, admins who have only downloaded the buggy update and have yet to deploy it can install the KB5070893 security update (released one day after KB5070881 and specifically designed to patch the CVE-2025-59287 flaw without breaking hotpatching) by going into Settings > Windows Update and selecting Pause updates. Next, they have to unpause and scan for updates to receive the correct update.
"Hotpatch-enrolled machines that have not installed this update will be offered the October 24, 2025, Security Update for Windows Server Update Services (KB5070893) on top of the planned baseline update for October 2025 (KB5066835)," Microsoft added.
... continue reading