CVE-2023-36910
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted packets. Attackers can gain SYSTEM privileges without authentication. Affects Windows systems with MSMQ enabled.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, or disrupt operations.
Likely Case
Remote code execution leading to ransomware deployment, data exfiltration, or creation of persistent backdoors.
If Mitigated
Limited impact if MSMQ is disabled or properly firewalled, though other vulnerabilities could still be exploited.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to MSMQ service. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36910
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates. 2. Restart affected systems. 3. Verify MSMQ service is updated.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable Microsoft Message Queuing service if not required
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
windowsBlock network access to MSMQ ports (TCP 1801, TCP 2103, TCP 2105, UDP 3527, UDP 1801)
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527,1801
🧯 If You Can't Patch
- Disable MSMQ service completely if not required for business operations
- Implement strict network segmentation and firewall rules to block all MSMQ traffic (TCP 1801, 2103, 2105 and UDP 3527, 1801)
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: sc query MSMQ | findstr RUNNINGCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2023 security updates are installed: wmic qfe list | findstr "2023-07"📡 Detection & Monitoring
Log Indicators:
- MSMQ service crashes
- Unusual network connections to MSMQ ports
- Security event logs showing unauthorized access attempts
Network Indicators:
- Unusual traffic to TCP port 1801, 2103, 2105 or UDP port 3527, 1801
- Malformed MSMQ packets
SIEM Query:
source="windows" AND (event_id=4625 OR event_id=4688) AND process_name="msmq.exe"