An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices.

KB5070881, the emergency update causing this issue, was released on the same day that several cybersecurity companies confirmed the critical-severity CVE-2025-59287 remote code execution (RCE) flaw was being exploited in the wild. The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the companies' findings, warning IT admins of the increased risk given that a PoC exploit is already available.

Days later, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to secure their systems after adding it to its catalog of security flaws that have been abused in attacks. The Shadowserver Internet watchdog group is now tracking over 2,600 WSUS instances with the default ports (8530/8531) exposed online, although it didn't share how many have already been patched.

However, in an update to the original KB5070881 support document, Microsoft says that some of the Hotpatch-enrolled Windows Server 2025 systems have now lost their hotpatch enrollment status after receiving the OOB update that addresses the CVE-2025-59287 vulnerability.

"A very limited number of Hotpatch-enrolled machines received the update before the issue was corrected. The update is now offered only to machines that are not enrolled to receive Hotpatch updates," Microsoft says. "This issue only impacts Windows Server 2025 devices and virtual machines (VMs) enrolled to receive Hotpatch updates."

Microsoft has stopped offering the KB5070881 update to Hotpatch-enrolled Windows Server 2025 devices, and states that those who have already installed it will no longer receive Hotpatch updates in November and December.

They will instead be offered the regular monthly security updates, which will require a restart, and will join the hotpatching rollout after installing the planned baseline for January 2026.

New security update doesn't break hotpatching

Luckily, admins who have only downloaded the buggy update and have yet to deploy it can install the KB5070893 security update (released one day after KB5070881 and specifically designed to patch the CVE-2025-59287 flaw without breaking hotpatching) by going into Settings > Windows Update and selecting Pause updates. Next, they have to unpause and scan for updates to receive the correct update.

"Hotpatch-enrolled machines that have not installed this update will be offered the October 24, 2025, Security Update for Windows Server Update Services (KB5070893) on top of the planned baseline update for October 2025 (KB5066835)," Microsoft added.

"Machines installing KB5070893 will remain 'on the Hotpatch train' and will continue to receive Hotpatch updates in November and December. Only those machines that have WSUS enabled will be prompted to restart after installing the Security Update, KB5070893."

To address the CVE-2025-59287 RCE vulnerability, Microsoft has also turned off the display of synchronization error details within its WSUS error reporting.

Last week, Microsoft acknowledged a bug that prevented users from quitting the Windows 11 Task Manager after installing the October 2025 optional update. Additionally, it fixed the Windows 11 Media Creation Tool (MCT) and resolved 0x800F081F update errors affecting Windows 11 24H2 systems since January.