KB5070882 is not a routine patch. It is an out-of-band emergency update that Microsoft released on October 23, 2025 for Windows Server 2016, outside the normal Patch Tuesday cycle — which is Microsoft’s way of saying do not wait.
It exists to close a remote code execution vulnerability in Windows Server Update Services, tracked as CVE-2025-59287. The flaw was serious enough that CISA added it to its Known Exploited Vulnerabilities catalogue, meaning attacks were observed in the wild, not merely theorised.
If you run WSUS on Server 2016 and you have not applied KB5070882, that is the task for today. This guide covers how to deploy it, what to do if you cannot patch immediately, and how to confirm it actually took.
⚠️ Read this first
If you cannot install KB5070882 right now, do not simply leave the server exposed and plan to patch next week. Apply a mitigation today — either disable the WSUS Server role, or block inbound traffic to ports 8530 and 8531 at the firewall. An actively exploited RCE on an internet-reachable WSUS server is not a risk you sit on. Mitigate now, patch properly when you have a window.
Table of Contents
- What KB5070882 fixes
- Are you actually affected?
- Step 1: Deploy KB5070882 now
- Step 2: If you can’t patch today, mitigate
- Step 3: Confirm the update installed
- Step 4: If KB5070882 fails to install
- Step 5: Patch the rest of the fleet
- FAQ
What KB5070882 Fixes
KB5070882 is an out-of-band update for Windows Server 2016 that takes the OS to build 14393.8524. It carries forward the fixes from the October 14, 2025 cumulative update, so it is not a narrow hotfix bolted onto an old baseline.
Its primary purpose is one thing: closing a remote code execution vulnerability in the WSUS reporting web services. Exploited successfully, that flaw could allow an attacker to execute arbitrary code on the WSUS server — and a WSUS server is, by design, trusted by every machine it patches. Compromising it is close to a worst case in a Windows environment.
That is why KB5070882 shipped out-of-band rather than waiting nine days for November’s Patch Tuesday.
Are You Actually Affected?
Here is the good news, and it narrows the problem considerably: only servers with the WSUS Server role enabled are vulnerable.
A Windows Server 2016 box that has never had WSUS installed is not exposed to this particular flaw. You should still be patching it, but KB5070882 is not the five-alarm emergency for that machine that it is for a WSUS host.
So before anything else, establish where WSUS is actually running in your environment. In many organisations the answer is “one server, and nobody has thought about it in two years” — which is precisely the kind of box that stays unpatched.
Step 1: Deploy KB5070882 Now
Microsoft has stated that no prior updates are required before installing this patch — which removes the usual excuse of a long prerequisite chain. You can go straight to it.
Install KB5070882 through Windows Update, or pull the standalone package directly from the Microsoft Update Catalog if the server is isolated or your update pipeline is unreliable.
Reboot when it asks. Do not defer the reboot on a security patch of this class — the fix is not fully in effect until the server restarts.
Step 2: If You Can’t Patch Today, Mitigate
Change control exists for good reasons, and sometimes you genuinely cannot reboot a production server on a Thursday afternoon. Fine. But do not do nothing.
Microsoft’s guidance for organisations that cannot immediately apply KB5070882 offers two mitigations:
Option A — Disable the WSUS Server role. This removes the vulnerable component entirely. Clients stop receiving updates from that server until you restore it, which is disruptive, but a WSUS outage is a far smaller problem than a compromised WSUS server.
Option B — Block inbound traffic to ports 8530 and 8531. These are the ports WSUS listens on. Blocking them at the host firewall cuts off the attack path while leaving the role installed.
Neither is a fix. Both are stopgaps that buy you the time to schedule KB5070882 properly. Set a deadline and hold it.
Step 3: Confirm the Update Installed
Do not assume. Verify.
Run winver and check for OS Build 14393.8524. Cross-check by looking at the installed updates list for KB5070882 specifically. In PowerShell, Get-HotFix will list it directly.
This step matters more than usual here. Out-of-band updates are sometimes not offered through internal WSUS instances if the metadata has not synchronised — which produces the darkly ironic situation of a WSUS server failing to deliver the patch that fixes WSUS. Verify per-server rather than trusting a dashboard.
Step 4: If KB5070882 Fails to Install
Server 2016 boxes that have gone months without a successful cumulative update frequently choke on this one too, typically failing at reboot with “We couldn’t complete the updates. Undoing changes.”
The sequence that resolves most of these:
1. Repair the component store.
sfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth
Reboot between them, then retry KB5070882.
2. Try a clean boot. Real-world reports describe KB5070882 failing under a normal boot and installing successfully in a clean boot state, with third-party services disabled. High resource usage and interfering agents — antivirus and backup software in particular — are the common culprits. This is a genuinely effective step, not a formality.
3. Install manually. Download the .msu from the Update Catalog and run it directly rather than through a deployment wrapper.
4. Check the CBS log. C:\Windows\Logs\CBS\CBS.log will name the specific missing or corrupt component. Search it for the error code rather than reading it linearly.
If none of that works, an in-place repair upgrade from a matching ISO is the remaining option — and it should prompt a harder conversation about whether this server should still be in production.
Step 5: Patch the Rest of the Fleet
KB5070882 is the Server 2016 package. The same WSUS vulnerability was patched across the whole supported range on the same day, with a different KB per OS version:
| Operating system | Update |
|---|---|
| Windows Server 2025 | KB5070881 |
| Windows Server 23H2 | KB5070879 |
| Windows Server 2022 | KB5070884 |
| Windows Server 2019 | KB5070883 |
| Windows Server 2016 | KB5070882 |
| Windows Server 2012 R2 | KB5070886 |
| Windows Server 2012 | KB5070887 |
Patching your Server 2016 WSUS host and leaving a Server 2019 WSUS host untouched fixes nothing. Inventory every machine with the WSUS role and cover them all.
FAQ About KB5070882
What build does KB5070882 install? OS Build 14393.8524 on Windows Server 2016.
Do I need earlier updates before installing KB5070882? No. Microsoft has confirmed no prior updates are required, which is why this can be deployed quickly on servers that have fallen behind.
Is my server vulnerable if WSUS isn’t installed? Not to this specific flaw. Only servers with the WSUS Server role enabled are affected. Patch anyway — but KB5070882 is not an emergency for that box.
Is CVE-2025-59287 actually being exploited? CISA added it to the Known Exploited Vulnerabilities catalogue, which is the formal signal that exploitation has been observed. Treat it accordingly.
Can I just block ports 8530 and 8531 permanently instead of patching? No. That mitigation blocks one path to one vulnerability. KB5070882 is a cumulative update that also carries the October 2025 security fixes. Blocking ports is a bridge, not a destination.
If this incident has surfaced how much of your estate is still running Windows Server 2016 — a version now well past mainstream support — Kymakers supplies genuine Windows Server 2022 and Windows Server 2025 licenses with instant delivery and activation support. Our Server 2019 end of life guide lays out the lifecycle dates, and the download, install, and activate walkthrough covers deployment. Patch first. Plan the migration after.
Official Microsoft reference: KB5070882 release notes







