CVE-2024-30080
📋 TL;DR
CVE-2024-30080 is a critical remote code execution vulnerability in Microsoft Message Queuing (MSMQ) that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending specially crafted packets to an MSMQ server. This affects Windows systems with the MSMQ service enabled, particularly those exposed to untrusted networks. The vulnerability stems from a use-after-free memory corruption issue (CWE-416).
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h1 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, or deploy ransomware across the network.
Likely Case
Remote code execution leading to initial foothold in enterprise networks, followed by lateral movement and data exfiltration.
If Mitigated
Limited impact if MSMQ is disabled or properly firewalled, with attackers unable to reach the vulnerable service.
🎯 Exploit Status
Exploitation requires sending specially crafted malicious packets to the MSMQ service (TCP port 1801). Public proof-of-concept code exists, making weaponization highly probable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2024 security updates - KB5037768 for Windows 11, KB5037765 for Windows 10, etc.
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080
Restart Required: Yes
Instructions:
1. Apply May 2024 Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify MSMQ service is updated to patched version.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsCompletely disable the Microsoft Message Queuing service if not required
sc config MSMQ start= disabled
sc stop MSMQ
Block MSMQ Ports
windowsBlock TCP port 1801 and UDP port 3527 at network perimeter and host firewall
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527
🧯 If You Can't Patch
- Disable MSMQ service immediately on all affected systems
- Implement strict network segmentation and firewall rules to block MSMQ traffic (TCP 1801/UDP 3527) from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is installed and running: Get-Service MSMQ (PowerShell) or sc query MSMQ (CMD). If installed, check Windows Update history for May 2024 patches.Check Version:
wmic service where name='MSMQ' get name,pathnameVerify Fix Applied:
Verify May 2024 security updates are installed via Settings > Windows Update > Update history or wmic qfe list. Confirm MSMQ service version matches patched build.📡 Detection & Monitoring
Log Indicators:
- Unusual MSMQ service crashes in Event Viewer (Application logs)
- Failed MSMQ authentication attempts from unexpected sources
- MSMQ queue creation/modification by unauthorized users
Network Indicators:
- Unusual traffic to TCP port 1801 from external/untrusted IPs
- Malformed MSMQ packets detected by network IDS/IPS
- Spike in MSMQ protocol traffic
SIEM Query:
source="*eventlog*" AND (EventID=1000 OR EventID=1001) AND process_name="msmq.exe" OR destination_port=1801 AND (src_ip NOT IN internal_ranges)🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080
- https://www.vicarius.io/vsociety/posts/cve-2024-30080-detection-script-remote-code-execution-vulnerability-affecting-microsoft-msmq-1
- https://www.vicarius.io/vsociety/posts/cve-2024-30080-mitigation-script-remote-code-execution-vulnerability-affecting-microsoft-msmq
