Hotpatching Havoc: Microsoft's WSUS Patch Creates a Stir
Imagine a critical security patch, designed to fortify your Windows Server 2025, unexpectedly becoming the very thing that disrupts your system's stability. That's the intriguing dilemma we're diving into today. But here's where it gets controversial: this patch, while fixing a serious vulnerability, inadvertently broke hotpatching for some servers, leaving admins scrambling for solutions.
Let's unravel this complex issue, step by step, and explore how Microsoft's response offers a much-needed fix.
The WSUS Vulnerability: A Serious Threat
The Windows Server Update Service (WSUS) vulnerability, tracked as CVE-2025-59287, was a serious concern. It allowed malicious actors to exploit a flaw, potentially executing arbitrary code on targeted servers. This posed a significant risk to enterprise environments, as a single crafted request could lead to remote code execution.
Hotpatching Disrupted: The Unintended Consequence
Last month, Microsoft released an urgent security update (KB5070881) to address this critical WSUS vulnerability. However, the update had an unintended side effect: it disabled hotpatching on some Windows Server 2025 machines enrolled in the Hotpatch program. This meant that a limited number of servers lost their enrollment status, impacting their ability to receive hotpatch updates.
Microsoft acknowledged the issue, stating, "A very limited number of Hotpatch-enrolled machines received the update before the issue was corrected." The company further clarified that only Windows Server 2025 devices and virtual machines enrolled for Hotpatch updates were affected.
The Impact and the Solution
The KB5070881 update caused affected servers to miss out on hotpatch updates for November and December. These servers were forced to rely on standard cumulative updates, which require system restarts. This issue would persist until the January 2026 baseline update, which would restore hotpatching functionality.
But here's the good news: Microsoft swiftly released a new update (KB5070893) that patches the vulnerability without disrupting hotpatching. Administrators who downloaded the previous update can now receive KB5070893 by unpausing and scanning again through Settings > Windows Update. Microsoft assures that servers installing this new update will continue to receive Hotpatch updates in November and December.
Microsoft's Additional Measures
Microsoft also implemented changes to WSUS error reporting, hiding synchronization error details. Additionally, the company addressed unrelated issues, including problems with Windows 11's Task Manager, Media Creation Tool, and update errors on Windows 11 version 24H2.
Final Thoughts and a Question for You
Microsoft's quick response and new update offer a much-needed resolution to this hotpatching dilemma. But it raises an important question: how can we ensure that critical security patches don't inadvertently cause such disruptions in the future? Share your thoughts and opinions in the comments below! We'd love to hear your insights on this complex issue.
