Just as Windows 10 has reached its end of life (EOL), issues with Windows 11 abound, the most recent an update that broke localhost for some developers, preventing them from accessing web apps running locally on their machines.
The October 2025 cumulative update, (KB5066835), addressed security issues in Windows operating systems (OSes), but also appears to have blocked Windows’ ability to talk within itself.
Localhost allows apps and services to communicate internally without using internet or external network access. Developers use the function to develop, test, and debug websites and apps locally on a Windows machine before releasing them to the public.
“For anyone doing software development, this is huge,” said David Shipley of Beauceron Security.
The problem has been widely reported on Microsoft support forums as well as on other developer sites such as Stack Overflow and Stack Exchange. Microsoft has confirmed the bug; an updated Windows release health page describes the issue and its suggested mitigations.
Impacting the way devs do their work
KB5066835 is an October 2025 cumulative update for Windows 11 versions 24H2 and 25H2. It was preceded by a preview update, KB5065789, released on September 29, 2025, both addressing issues including problems with print preview in Chromium-based browsers, command time-outs impacting auditing in PowerShell Remoting and Windows Remote Management (WinRM), and persistent error messages in Windows Hello setup.
But developers have reported a few unexpected issues as well, including connection failures and HTTP/2 protocol issues impacting various development tools such as ASP.NET and Visual Studio.
Mitigation
Some developers have been able to get around these significant glitches by uninstalling the KB5066835 package, rebooting, and then pausing Windows updates so it won’t be automatically reinstalled. Others, however, have reported in online forums that their attempts to uninstall KB5066835 were unsuccessful, and that they had to instead remove the previous KB5065789 September package. If neither of those tactics worked, users suggested opening Windows Features and turning off Hyper-V, IIS, Windows Process Activation Service, and .NET Framework 3.5 and 4.8.
Microsoft responded by attributing the issue to a “variety of conditions,” including internet connectivity and the “timing of recent update installation and device restarts,” and says it is possible it may not be observed at all in some environments.
Its suggested mitigation is via Known Issue Rollback to remove the offending updates; this will be resolved automatically for home and unmanaged business devices, it said, and can be deployed using a special Group Policy in enterprises.
The company also suggested trying the following steps:
- Open “Windows Update” in the “Windows Settings” app.
- Click on “Check for updates” and allow any updates to install.
- Restart the device (even if no updates were installed in the previous step).
“We are working on releasing a resolution for this issue in a future Windows update,” Microsoft said. “We will provide an update when more information is available.”
Disruption and frustration
“This is affecting local development as well as business applications,” one user wrote on a Microsoft-hosted forum. They reported that when the update is removed, “everything works again.”
The localhost loopback connection is a “fundamental” element of Windows that developers and enterprises quietly rely on every day, explained Erik Avakian, a technical counselor at Info-Tech Research Group. “Localhost serves as a sort of backbone for how many modern apps are built and tested.”
When localhost stops working, entire application development environments can be impacted or “even grind to a halt,” causing internal processes and services to fail and stop communicating, he pointed out. This means developers are unable to test or run web applications locally.
This issue is really about “denial of service,” where tools and processes dependent on internal loopback services break, he noted. Developers can’t debug locally, and automated testing processes can fail. At the same time, IT departments are left to troubleshoot, field an influx of service tickets, roll back patches, and look for workarounds.
“This bug is definitely disruptive enough to cause delays, lost productivity, and frustration across teams,” said Avakian. “All of those equate to real dollars in user time on task and business process disruption.”
Microsoft quality control in doubt: Something so fundamental shouldn’t break
From an economic impact point of view, software developers may each have lost a half day to a day or more due to this issue, noted Beauceron’s Shipley. “That adds up quickly,” he said.
He even went so far as to say that, depending on the number of developers impacted worldwide, this bug could have as large an impact as the widespread CrowdStrike outage in July 2024 that halted flights and took millions of companies temporarily offline.
“If people are rolling back this update, which includes security fixes, for high value targets like developers, this creates a huge risk,” said Shipley.
Having developers step back from automatic patching and take the old approach of waiting a few weeks before applying patches is “massively more dangerous” today, given the speed at which AI-enabled vulnerability development now operates (15 minutes or less), he noted.
“I’d love to see a post-mortem on how this mess happened and if there’s a role here that bad AI code or testing played in it,” said Shipley.
Info-Tech’s Avakian agreed that developers are being forced to pick between two bad options: “staying patched and secure [but unproductive] versus staying functional and productive.”
This type of issue underscores the importance of quality control and thorough testing by third-party suppliers and vendors before releasing updates to commercial markets, he said. Not doing so can have significant downstream impacts and “erode trust” in the update process while making teams more cautious about patching.
“Localhost is really one of the most basic pieces of the Windows networking stack,” said Avakian. “Something so fundamental shouldn’t fall through the cracks when testing update releases.”
He pointed out that the situation is also a great reminder to IT teams to stage updates in test environments first, test various critical business processes throughout the enterprise with each update iteration, and build runbooks with rollback plans and dependencies that map to business processes.
“When these disruptions are multiplied across dozens or hundreds of dev machines, it can amount to a high cost in time, delays, and coordination of the IT teams,” said Avakian.
