CVE-2024-49118
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted packets. It affects Windows systems with MSMQ enabled, particularly those exposed to untrusted networks. Attackers could gain SYSTEM-level privileges on compromised systems.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, exfiltrate data, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to ransomware deployment, data theft, or lateral movement within enterprise networks.
If Mitigated
Limited impact if MSMQ is disabled or properly firewalled, with attackers unable to reach vulnerable services.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in July 2024 Patch Tuesday
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49118
Restart Required: Yes
Instructions:
1. Apply July 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems to complete installation.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsCompletely disable the MSMQ service if not required for business operations
sc config MSMQ start= disabled
sc stop MSMQ
Block MSMQ Ports
windowsBlock network access to MSMQ ports (TCP 1801, TCP 2103, TCP 2105, UDP 3527, UDP 1801)
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527,1801
🧯 If You Can't Patch
- Disable MSMQ service immediately on all systems where it's not essential
- Implement strict network segmentation and firewall rules to block MSMQ traffic (TCP 1801, 2103, 2105; UDP 3527, 1801) from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: Get-Service MSMQ (PowerShell) or sc query MSMQ (CMD). If service exists and is running, system is vulnerable if unpatched.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2024 security updates are installed: Get-HotFix -Id KB5035857 (or applicable KB number) in PowerShell, or check Windows Update history.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with MSMQ process creation
- Unexpected MSMQ service restarts
- Security log entries showing failed authentication to MSMQ
Network Indicators:
- Unusual traffic to MSMQ ports (TCP 1801, 2103, 2105; UDP 3527, 1801) from external sources
- Large volume of malformed packets to MSMQ ports
SIEM Query:
source="windows_security" EventID=4688 AND (ProcessName="*mqsvc.exe" OR ProcessName="*mqrt.dll")