Critical Patch Causes Unintended Side Effects

Microsoft has acknowledged that a recent out-of-band (OOB) security update, KB5070881, has caused a significant issue for some system administrators. The patch was released urgently to address a critical remote code execution (RCE) vulnerability in the Windows Server Update Service (WSUS), tracked as CVE-2025-59287. This flaw is being actively exploited in the wild, prompting CISA to order U.S. federal agencies to secure their systems.

However, the emergency fix had an unintended consequence: it broke the “hotpatching” feature on a limited number of enrolled Windows Server 2025 machines. Hotpatching allows for security updates to be applied without requiring a system restart, a crucial feature for maintaining uptime on critical servers. The faulty update has effectively unenrolled these systems from the program.

Resolution and Guidance for Administrators

In response, Microsoft has stopped distributing the problematic KB5070881 update to devices enrolled in hotpatching. For the small number of servers that already installed it, hotpatching will be disabled for November and December. These systems will instead receive standard monthly security updates that require a reboot and are expected to rejoin the hotpatching schedule after a new baseline is released in January 2026.

A corrected update, KB5070893, has been released to address the WSUS vulnerability without impacting the hotpatching service. Microsoft advises administrators who may have downloaded but not yet deployed the original buggy patch to pause Windows Update, then unpause and scan for updates again. This process will ensure they receive the new, correct KB5070893 patch, allowing their systems to remain fully functional and secure.

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/