Microsoft’s Latest WSUS Patch Breaks Hotpatching On Windows Server 2025

Microsoft’s out-of-band security update KB5070881, released on October 23, 2025, for Windows Server 2025 (OS Build 26100.6905), has inadvertently disrupted the hotpatching feature on affected systems.

Designed to patch a critical remote code execution vulnerability in Windows Server Update Services (WSUS), the update instead caused enrolled hotpatching devices to lose their no-reboot update capabilities, forcing temporary reliance on traditional restarts.

This issue highlights the delicate balance between rapid security responses and preserving innovative features like hotpatching, which promises downtime-free patching for servers.

The update addresses CVE-2025-59287, a high-severity flaw in WSUS reporting web services that allows attackers to execute arbitrary code remotely without authentication.

Cybersecurity firms quickly confirmed active exploitation, with proof-of-concept exploits circulating online, prompting urgent action from Microsoft.

The Netherlands National Cyber Security Centre and others warned of heightened risks, especially since WSUS servers often manage enterprise-wide updates.

The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch within weeks.

Shadowserver reports over 2,600 exposed WSUS instances on default ports, underscoring the widespread exposure.

The Hotpatching Disruption Explained

Hotpatching, a flagship feature in Windows Server 2025, enables security updates to apply in-memory without reboots, minimizing operational interruptions for critical infrastructure.

However, KB5070881 was initially offered broadly, including to hotpatch-enrolled machines and virtual machines, before Microsoft identified the conflict.

A limited number of systems installed it, resulting in lost enrollment status and exclusion from the hotpatching track until early 2026.

Microsoft has since restricted the update to non-enrolled devices, ensuring broader protection against the WSUS flaw while isolating the side effect.

Affected servers now receive standard monthly security updates requiring restarts for November and December 2025.

They will revert to regular updates in the interim but rejoin hotpatching after installing a planned January 2026 baseline, with the next hotpatch arriving in February.

Administrators cannot uninstall the combined servicing stack and cumulative package easily, as the update integrates a servicing stack update (SSU) KB5067360 for reliable installations.

This glitch only impacts Windows Server 2025 in hotpatch mode, sparing other versions like Windows Server 2022.

Implications For Enterprise Security

The incident arrives amid Microsoft’s push to deprecate WSUS feature development, favoring cloud-based alternatives, yet it remains vital for on-premises environments.

While the patch mitigates a real threat potentially preventing widespread compromise it exposes challenges in testing emergency updates against emerging features.

IT teams are advised to monitor the Windows Release Health Dashboard and delay non-essential hotpatch enrollments until resolved.

As exploitation continues, the trade-off favors security over convenience, but it serves as a reminder for diversified update strategies in hybrid setups.

Microsoft urges reviewing Secure Boot certificate expirations starting June 2026 to avoid boot issues, alongside this WSUS fix.

For full details, consult the official KB article, which includes file information and removal guidance via DISM tools.