CVE-2023-36592
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted packets. It affects Windows systems with MSMQ enabled, particularly those exposed to untrusted networks. Attackers could gain SYSTEM privileges on compromised systems.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling lateral movement, data exfiltration, and persistent backdoor installation across the network.
Likely Case
Remote code execution leading to malware deployment, ransomware installation, or credential harvesting from the compromised system.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting isolated MSMQ services.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to the MSMQ service (TCP port 1801 by default). No authentication is required if the service is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: October 2023 security updates (KB5031358 for Windows 10, KB5031362 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36592
Restart Required: Yes
Instructions:
1. Apply October 2023 Windows security updates from Windows Update. 2. Restart affected systems. 3. Verify MSMQ service is updated to patched version.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsCompletely disable Microsoft Message Queuing service if not required
sc config MSMQ start= disabled
net stop MSMQ
Block MSMQ Ports
windowsBlock network access to MSMQ ports (TCP 1801, UDP 3527, 1805, 2103, 2105)
New-NetFirewallRule -DisplayName "Block MSMQ" -Direction Inbound -LocalPort 1801,3527,1805,2103,2105 -Protocol TCP,UDP -Action Block
🧯 If You Can't Patch
- Disable MSMQ service on all affected systems immediately
- Implement strict network segmentation to isolate MSMQ services from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: Get-Service MSMQ | Select Status, StartType. Check Windows version with October 2023 patches.Check Version:
wmic qfe list | findstr KB5031358 KB5031362 KB5031361 KB5031360Verify Fix Applied:
Verify Windows is updated to October 2023 or later security updates: systeminfo | findstr /B /C:"OS Name" /C:"OS Version". Confirm MSMQ service version is updated.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with MSMQ process creation
- MSMQ service crashes in System logs
- Unusual network connections to port 1801
Network Indicators:
- Unusual traffic to TCP port 1801 from external sources
- MSMQ protocol anomalies in network traffic
SIEM Query:
source="windows" (EventCode=4688 AND NewProcessName="*msmq*") OR (EventCode=7034 AND ServiceName="MSMQ")