Windows admins should quickly apply for a “critical” Vulnerability in the Microsoft Message Queuing Service (MSMQ) in Windows and Windows Server. If attacks are successful, attackers could execute malicious code and completely compromise systems.
The gap
The vulnerability (CVE-2023-21554) was closed on Patchday in April. As a prerequisite for attacks, the MSMQ server must be active, which is not the case by default. However, the service is often activated in the course of Exchange installations, so the gap should not be underestimated. To check if systems are vulnerable, admins should check if the “Message Queuing” service is running and listening on TCP port 1801. According to a warning from Microsoft, Windows 10, 11 and many Windows server versions such as 20H2 are affected.
Message Queuing is a messaging infrastructure and development platform. Message queuing applications can use this to communicate with PCs that may be offline. The service is designed to guarantee message delivery.
Checkpoint security researchers discovered the vulnerability. According to them, attackers would only have to send their exploit code to TCP port 1801 of MSMQ servers to trigger an attack.
Patch now!
According to scans by Shadowsever, the MSMQ service is publicly available on over 400,000 Windows systems worldwide. If these systems are not yet patched, attackers could strike. The majority of these can be found in Hong Kong with 160,000 instances. In the US, there are around 57,000. Almost 8,000 systems are publicly accessible in Germany.
(of the)
