Microsoft Halts KB5070881 After It Broke Hotpatch on Windows Server 2025

Microsoft’s out-of-band (OOB) update for a critical WSUS vulnerability (CVE-2025-59287) has been another headache for IT admins. The emergency update, KB5070881, rolled out to stop active exploits, has been breaking Hotpatching on some Windows Server 2025 systems.

In an update to its KB5070881 documentation, the company confirmed that a “very limited number” of Hotpatch-enrolled Windows Server 2025 machines lost their enrollment after installing the patch. The company detailed the following in the update:

Symptoms

This update was briefly offered to all Windows Server 2025 machines, regardless of their Hotpatch enrollment status. A very limited number of Hotpatch-enrolled machines received the update before the issue was corrected. The update is now offered only to machines that are not enrolled to receive Hotpatch updates.

This issue only impacts Windows Server 2025 devices and virtual machines (VMs) enrolled to receive Hotpatch updates.

Workaround

• For machines that downloaded and installed this update: Machines that installed this update are temporarily “off the Hotpatch train” and will not be offered Hotpatch updates in November and December. They will instead be offered the regular monthly security updates that require a restart of the device. After they install the planned baseline in January 2026, they will again be offered Hotpatch updates. The next planned Hotpatch update would be offered in February 2026.
• For machines that downloaded, but have not yet installed, this update: Go to Settings > Windows Update and select Pause updates. Then un-pause and scan for updates. You will then be offered the correct update.

How do Hotpatch machines get the fix contained in this update? 

Hotpatch-enrolled machines that have not installed this update will be offered the October 24, 2025, Security Update for Windows Server Update Services (KB5070893) on top of the planned baseline update for October 2025 (KB5066835). Machines installing KB5070893 will remain “on the Hotpatch train” and will continue to receive Hotpatch updates in November and December. Only those machines that have WSUS enabled will be prompted to restart after installing the Security Update, KB5070893. 

As reported by Bleeping Computer, security researchers along with the Netherlands National Cyber Security Centre (NCSC-NL) have confirmed that the remote code execution bug in Windows Server Update Services (WSUS) was being exploited in the wild.

According to data from the Shadowserver Foundation, over 2,600 WSUS servers with default ports (8530/8531) remain exposed to the internet, leaving a wide attack surface if unpatched.