CVE-2023-35385
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted packets. It affects Windows servers and workstations with MSMQ enabled, particularly those exposed to untrusted networks. Attackers can gain SYSTEM-level privileges without authentication.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, lateral movement, and persistent backdoors.
Likely Case
Remote code execution leading to initial foothold, credential harvesting, and lateral movement within enterprise networks.
If Mitigated
Limited impact if MSMQ is disabled, network segmentation is enforced, and proper access controls prevent unauthorized connections.
🎯 Exploit Status
CVSS 9.8 indicates trivial exploitation with high impact. While no public PoC exists, similar MSMQ vulnerabilities have been weaponized quickly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028166 for Windows 10/11, KB5028168 for Server 2019, KB5028180 for Server 2022)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35385
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems after patching.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable Microsoft Message Queuing service if not required
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
windowsBlock TCP port 1801 and UDP port 3527 at network perimeter
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527
🧯 If You Can't Patch
- Disable MSMQ service immediately on all affected systems
- Implement strict network segmentation to isolate MSMQ servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: Get-Service MSMQ | Select Status, StartTypeCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2023 patches are installed: Get-HotFix -Id KB5028166, KB5028168, or KB5028180📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with MSMQ process creation
- Unusual network connections to port 1801/3527
- MSMQ service crash logs
Network Indicators:
- Unusual traffic patterns to MSMQ ports
- Malformed packets to port 1801
- Connection attempts from unexpected sources
SIEM Query:
source="windows" event_id=4688 process_name="*msmq*" OR destination_port=1801 OR destination_port=3527