WSUS Out of Band Patch Installer – CVE-2025-59287 for all OS automatic

Powershell skript to force the Out of band patches for WSUS Exploit fully automatic on WSUS.

WSUS Out-of-Band Patch Installer – Overview (CVE-2025-59287) for all OS automatic

Run our emergency skript direct on your WSUS Server.

1. The 24.10.2025 emergency patches itself are in WSUS. If they are APROVED there our skript will install them from there
   
2. If the 24.10.2025 emergency patches are NOT aproved in your WSUS it will download them DIRECT from MS, Install and Reboot the Server.
   
3. If you install the Out of Band patches by PS they may not appear in the Windows Server 2025 GUI under history/Verlauf (See and of screenshot, check with Get-HotFix -Id KB5070881 or WMI)
   

Affected OS:

“Windows Server 2025” = “KB5070881”

“Windows Server 23H2” = “KB5070879”

“Windows Server 2022” = “KB5070884”

“Windows Server 2019” = “KB5070883”

“Windows Server 2016” = “KB5070882”

“Windows Server 2012 R2” = “KB5070886”

“Windows Server 2012” = “KB5070887”

https://www.cisa.gov/news-events/alerts/2025/10/24/microsoft-releases-out-band-security-update-mitigate-windows-server-update-service-vulnerability-cve

Purpose: Automatically installs the correct October 2025 Out-of-Band (OOB) security patch for CVE-2025-59287 on the local WSUS server, verifying installation and rebooting if required. If the patch is not approved or available in WSUS, it automatically retrieves it from Microsoft Update instead.
Main Functions:

• Logging & Transcript: Creates a timestamped log file in the same folder where the script runs (startup folder). Captures full console output for audit and troubleshooting.
• OS Detection & KB Mapping: Detects the local Windows Server version (2012 → 2025) and maps it to the corresponding KB (e.g., KB5070884 for Server 2022).
• WSUS Role Verification: Checks if the WSUS role is installed, exits cleanly if not present.
• Patch Status Check: Searches via Win32_QuickFixEngineering and Get-HotFix to confirm if the patch exists and identifies its source (Manual, WSUS, or Microsoft Update).
• PSWindowsUpdate Setup: Installs/imports PSWindowsUpdate module if missing and registers Microsoft Update as a fallback.
• Patch Installation Logic: Attempts WSUS installation first; falls back to Microsoft Update if WSUS does not have or approve the KB.
• Verification Phase: Confirms the KB is installed and reports its source.
• Reboot Handling: Detects if a reboot is required and restarts automatically if needed.
• WSUS Audit / IOC Snapshot: Queries WSUS for the 10 most recently added/modified updates. Prints them for quick IOC review. Logs a warning if access fails.
• Failsafe & Clean Exit: All operations use try/catch; exits with clear success/failure messages and maintains full transcript.
  End Result: Correct OOB patch installed, automatically falling back to Microsoft Update if needed, logs every step, reboots safely, and provides WSUS change audit.

FAQ: Server 2025 does not show it but it is installed

1. If you install the Out of Band patches by PS they may not appear in the Windows Server 2025 GUI under history/Verlauf
   

The only way you will the patches installed are maybe with:

Get-HotFix -Id KB5070881

Get-WmiObject -Query “SELECT * FROM Win32_QuickFixEngineering WHERE HotFixID=’KB5070881′”

Sample older OS version