Full Report
An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices. [...]
Analysis Summary
# Vulnerability: Actively Exploited WSUS RCE Flaw Patch Breaks Windows Server Hotpatching
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: Critical (Severity derived from context of RCE exploitation)
- CWE: Not explicitly stated, but associated with Remote Code Execution.
## Affected Systems
- Products: Windows Server Update Services (WSUS) component on Windows Server 2025.
- Versions: Windows Server 2025 devices enrolled to receive "Hotpatch" updates.
- Configurations: Affects systems that installed the out-of-band update KB5070881 *before* the issue was corrected.
## Vulnerability Description
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting the Windows Server Update Service (WSUS). An initial Out-of-Band (OOB) patch, KB5070881, released to fix this flaw has been found to break the "hotpatching" enrollment status on a limited number of Windows Server 2025 devices. Systems losing hotpatch enrollment will revert to standard monthly updates.
## Exploitation
- Status: Exploited in the wild
- Complexity: Not explicitly stated, but RCE flaws often imply Medium to High complexity.
- Attack Vector: Network (Implied, as WSUS is a network service)
## Impact
- Confidentiality: Undetermined (Likely High due to RCE)
- Integrity: Undetermined (Likely High due to RCE)
- Availability: Impacted systems lost eligibility for hotpatch updates, forcing installation of standard updates requiring a restart.
## Remediation
### Patches
- **Initial Patch (Causing Issue):** KB5070881 (Released Oct 23, 2025). **Note:** This update should *not* be installed on Hotpatch-enrolled Server 2025 systems if the replacement patch is available.
- **Corrected Patch (Fixes RCE without breaking hotpatching):** KB5070893 (Released Oct 24, 2025).
- **Baseline Update:** KB5066835 (October 2025 baseline update).
### Workarounds
1. **For systems that have *not* installed KB5070881:**
* Go to Settings > Windows Update.
* Select **Pause updates**.
* **Unpause updates** and **Scan for updates** to receive KB5070893 instead.
2. **For systems that *have* installed KB5070881 (and lost hotpatch enrollment):**
* These systems will no longer receive hotpatch updates for November and December.
* They will receive regular monthly security updates (which require a restart) and will rejoin the hotpatch rollout after installing the January 2026 baseline update.
3. Disable display of synchronization error details within WSUS error reporting (Microsoft action to mitigate details exposed by the RCE fix).
## Detection
- **Indicators of Compromise:** The article does not list specific IoCs for CVE-2025-59287 itself, only that it is being actively exploited.
- **Detection Methods and Tools:** Monitoring network traffic associated with WSUS endpoints (ports 8530/8531) for unusual activity, though no specific detection signatures were provided in this context.
## References
- Vendor Advisory (KB5070881): hxxps://support.microsoft.com/en-us/topic/october-23-2025-kb5070881-os-build-26100-6905-out-of-band-8e7ac742-6785-4677-87e4-b73dd8ac0122
- Vendor Advisory (KB5070893): hxxps://support.microsoft.com/en-us/topic/october-24-2025-kb5070893-os-build-26100-6905-security-update-for-windows-server-update-services-78f3720c-9511-4deb-b0d7-7bed2016fefd
- PoC Availability Reference: hxxp://hawktrace.com/blog/CVE-2025-59287