A recent security update from Microsoft aimed at addressing a critical vulnerability in the Windows Server Update Service (WSUS) has inadvertently disrupted the hotpatching capabilities of some Windows Server 2025 systems. This unforeseen consequence has left certain servers enrolled in Microsoft’s Hotpatch program unable to apply updates without requiring a restart, compelling administrators to revert to traditional cumulative updates until January 2026.
The vulnerability, identified as CVE-2025-59287, posed a significant threat by allowing attackers to exploit weaknesses in how WSUS managed specific requests. This flaw could potentially enable remote code execution, allowing malicious actors to bypass security measures and execute arbitrary code on targeted servers, thereby jeopardizing enterprise environments.
How did the update affect Windows Server 2025 hotpatching?
Last month, Microsoft released an out-of-band security update (KB5070881) to address the critical WSUS vulnerability, which was reportedly being actively exploited. However, this update inadvertently disabled hotpatching for some Windows Server 2025 machines that were part of the Hotpatch program.
According to Microsoft, “A very limited number of Hotpatch-enrolled machines received the update before the issue was corrected. The update is now offered only to machines that are not enrolled to receive Hotpatch updates.” This situation specifically impacts devices and virtual machines (VMs) running Windows Server 2025 that are part of the Hotpatch program.
As a result of the KB5070881 update, systems enrolled in the hotpatching program lost their enrollment status. Consequently, affected servers will not receive the anticipated hotpatch updates for November and December, necessitating reliance on standard cumulative updates that require system restarts. This limitation will remain until the baseline update in January 2026 is installed, which is expected to restore hotpatching functionality.
Microsoft’s response and the new fix
In response to this disruption, Microsoft has rolled out a new update (KB5070893) that addresses the original vulnerability while preserving hotpatching capabilities. Administrators who downloaded the problematic KB5070881 but have yet to install it can navigate to Settings > Windows Update, unpause, and scan again to receive the new KB5070893 update instead. Microsoft assures that Windows Server machines that successfully install this update will continue to receive Hotpatch updates in November and December.
Additionally, Microsoft has implemented changes to WSUS error reporting to obscure synchronization error details. Other unrelated fixes included in this update address issues with the Windows 11 Task Manager, Media Creation Tool, and update errors on Windows 11 version 24H2.
