CVE-2023-24943
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by sending specially crafted PGM (Pragmatic General Multicast) protocol packets. It affects Windows systems with the Windows Message Queuing service enabled and configured to use PGM. Attackers can exploit this without authentication to gain SYSTEM-level privileges.
💻 Affected Systems
- Windows Server
- Windows Client
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistent backdoors across the network.
Likely Case
Remote code execution leading to ransomware deployment, credential harvesting, or botnet recruitment of vulnerable systems.
If Mitigated
Limited impact if Message Queuing service is disabled or PGM is not configured, with network segmentation preventing exploitation.
🎯 Exploit Status
Microsoft has confirmed exploitation is more likely due to the high CVSS score and unauthenticated nature. No public proof-of-concept available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in May 2023 Patch Tuesday
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24943
Restart Required: Yes
Instructions:
1. Apply May 2023 Windows security updates. 2. For Windows Server 2008/2012, apply extended security updates if eligible. 3. Restart systems after patching.
🔧 Temporary Workarounds
Disable Message Queuing Service
windowsDisables the vulnerable Windows Message Queuing service to prevent exploitation.
sc config MSMQ start= disabled
sc stop MSMQ
Block PGM Ports
windowsBlocks network traffic on PGM ports (1801 TCP/UDP) to prevent remote exploitation.
netsh advfirewall firewall add rule name="Block PGM" dir=in action=block protocol=TCP localport=1801
netsh advfirewall firewall add rule name="Block PGM UDP" dir=in action=block protocol=UDP localport=1801
🧯 If You Can't Patch
- Disable Windows Message Queuing service if not required for business operations.
- Implement network segmentation to isolate systems with Message Queuing service from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check if Message Queuing service is running: sc query MSMQ. If service exists and is running, system may be vulnerable if PGM is configured.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2023 security updates are installed via: wmic qfe list | findstr "KB5026372" (update KB varies by Windows version).📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with process creation from MSMQ service
- Unexpected service crashes (Event ID 1000) related to mqsvc.exe
Network Indicators:
- Unusual traffic on port 1801 TCP/UDP from external sources
- PGM protocol anomalies in network traffic
SIEM Query:
source="windows" event_id=4688 process_name="*" parent_process_name="mqsvc.exe"