An out-of-band (OOB) security update has recently caused complications for some Windows Server 2025 devices, disrupting the hotpatching feature. This update, identified as KB5070881, was released concurrently with alarming reports from cybersecurity firms regarding the critical CVE-2025-59287 remote code execution (RCE) vulnerability, which is currently being exploited in the wild. The Netherlands National Cyber Security Centre (NCSC-NL) corroborated these findings, alerting IT administrators to the heightened risk associated with the availability of a proof-of-concept exploit.
In response to this escalating threat, the Cybersecurity and Infrastructure Security Agency (CISA) mandated that U.S. government agencies fortify their systems, adding the vulnerability to its catalog of exploited security flaws. Meanwhile, the Shadowserver Internet watchdog group has been monitoring over 2,600 WSUS instances with default ports (8530/8531) exposed online, although it has not disclosed how many of these have been patched.
In a subsequent update to the KB5070881 support document, Microsoft acknowledged that the OOB update has inadvertently caused some Hotpatch-enrolled Windows Server 2025 systems to lose their enrollment status. The company noted, “A very limited number of Hotpatch-enrolled machines received the update before the issue was corrected. The update is now offered only to machines that are not enrolled to receive Hotpatch updates.” This situation specifically affects Windows Server 2025 devices and virtual machines (VMs) that are part of the Hotpatch program.
As a precautionary measure, Microsoft has ceased distributing the KB5070881 update to Hotpatch-enrolled Windows Server 2025 devices. Those who have already installed the update will find themselves unable to receive Hotpatch updates in November and December. Instead, they will be provided with the standard monthly security updates, which necessitate a system restart, and will be reintegrated into the hotpatching process following the installation of the planned baseline for January 2026.
New security update doesn’t break hotpatching
Fortunately, for administrators who have downloaded the problematic update but have not yet deployed it, there is a remedy. They can install the KB5070893 security update, released the day after KB5070881, which is specifically designed to address the CVE-2025-59287 flaw without disrupting hotpatching. To do this, they can navigate to Settings > Windows Update and select Pause updates, then unpause and scan for updates to obtain the correct version.
Microsoft further clarified, “Hotpatch-enrolled machines that have not installed this update will be offered the October 24, 2025, Security Update for Windows Server Update Services (KB5070893) on top of the planned baseline update for October 2025 (KB5066835).” Machines that successfully install KB5070893 will remain on the “Hotpatch train” and continue to receive updates in the upcoming months. Only those systems with WSUS enabled will be prompted to restart after installing this security update.
In addition to addressing the CVE-2025-59287 RCE vulnerability, Microsoft has also disabled the display of synchronization error details within its WSUS error reporting system. Last week, the company acknowledged a separate bug that hindered users from exiting the Windows 11 Task Manager following the installation of the October 2025 optional update. Furthermore, it resolved issues with the Windows 11 Media Creation Tool (MCT) and addressed persistent 0x800F081F update errors affecting Windows 11 24H2 systems since January.
