Microsoft’s WSUS Fix Accidentally Breaks Hotpatching on Windows Server 2025

A recent Microsoft security fix for a critical WSUS vulnerability has unintentionally disrupted hotpatching on Windows Server 2025 systems. The update ended up disabling restart-free patching for some servers, forcing admins to rely on traditional cumulative updates until January 2026.

The Windows Server Update Service (WSUS) vulnerability (tracked as CVE-2025-59287) allowed attackers to exploit a flaw in how Windows Server Update Services handled certain requests, which potentially enables remote code execution. This meant that a malicious actor could craft a request that bypassed security checks and execute arbitrary code on a targeted server, which poses a serious risk to enterprise environments.

How did the update affect Windows Server 2025 hotpatching?

Last month, Microsoft released an out-of-band (OOB) security update (KB5070881) to fix this critical WSUS vulnerability that was actively being exploited. However, this update accidentally disabled hotpatching on some Windows Server 2025 machines enrolled in the Hotpatch program.

“A very limited number of Hotpatch-enrolled machines received the update before the issue was corrected. The update is now offered only to machines that are not enrolled to receive Hotpatch updates,” Microsoft says. “This issue only impacts Windows Server 2025 devices and virtual machines (VMs) enrolled to receive Hotpatch updates.”

The KB5070881 update inadvertently caused systems enrolled in Windows Server’s hotpatching program to lose their enrollment status. Consequently, affected servers will not receive hotpatch updates for November and December, and must rely on standard cumulative updates that require system restarts. This problem will persist until the January 2026 baseline update is installed, which will restore hotpatching functionality and resume restart-free patching.

Microsoft’s response and the new fix

Fortunately, Microsoft has released a new update (KB5070893) that patches the vulnerability without breaking hotpatching. Administrators who downloaded KB5070881 but haven’t installed it can go to Settings > Windows Update, then unpause and scan again to receive KB5070893 instead. Microsoft says that Windows Server machines that install this new update will continue to receive Hotpatch updates in November and December.

Microsoft also made changes to WSUS error reporting to hide synchronization error details. Other unrelated fixes include resolving issues with Windows 11 Task Manager, Media Creation Tool, and update errors on Windows 11 version 24H2.