Microsoft recently faced challenges following the release of emergency update KB5070881, intended to address a critical vulnerability in Windows Server Update Services (WSUS), known as CVE-2025-59287. IT administrators reported that this update inadvertently disrupted Hotpatching for some instances of Windows Server 2025, causing significant concern.
In a statement regarding the update, Microsoft acknowledged that a "very limited number" of Hotpatch-enrolled servers experienced issues post-installation. Specifically, these machines were temporarily removed from receiving future Hotpatch updates, with the company noting the following:
Symptoms
The update was initially made available to all Windows Server 2025 systems, irrespective of their enrollment in Hotpatch. Once they had updated, affected machines could no longer receive Hotpatch updates. The patch distribution is now solely targeted to non-Hotpatch enrolled machines.
Microsoft provided several workarounds for affected systems:
-
For those that already installed the update: These machines will not receive Hotpatch updates in November and December. They will revert to receiving the standard monthly security updates, requiring device restarts. To rejoin the Hotpatch program, they need to install a baseline planned for January 2026, followed by the next scheduled Hotpatch in February 2026.
-
For machines that downloaded the update but have not installed it: Users are advised to navigate to Settings > Windows Update, select Pause updates, then un-pause and scan for updates to ensure they receive the correct version.
Hotpatch-enrolled machines that missed the problematic update will subsequently receive KB5070893, which safely fixes the vulnerability without disrupting Hotpatching, while also requiring a restart if WSUS is enabled.
Security experts, including those from the Netherlands National Cyber Security Centre (NCSC-NL), had confirmed that the WSUS vulnerability was being actively exploited. Data indicates that more than 2,600 WSUS servers, still configured with default ports, are accessible online, presenting a significant risk to organizations that have not implemented the necessary patches.
For more information about the involved updates: