CVE-2024-49122
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted packets. It affects Windows systems with MSMQ enabled, potentially allowing attackers to gain SYSTEM privileges. Organizations using MSMQ for message queuing services are at risk.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains SYSTEM privileges on vulnerable server, leading to complete system compromise, lateral movement, and data exfiltration.
Likely Case
Attacker executes code with SYSTEM privileges on vulnerable MSMQ server, potentially installing malware, ransomware, or backdoors.
If Mitigated
With proper network segmentation and access controls, impact limited to isolated MSMQ service disruption.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49122
Restart Required: Yes
Instructions:
1. Apply July 2024 Windows security updates. 2. Restart affected systems. 3. Verify MSMQ service is running expected version.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable Microsoft Message Queuing service if not required
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
windowsBlock network access to MSMQ ports (TCP 1801, TCP 2103, TCP 2105, UDP 3527, UDP 1801)
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527,1801
🧯 If You Can't Patch
- Disable MSMQ service entirely if not required for business operations
- Implement strict network segmentation to isolate MSMQ servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is installed and running: Get-Service MSMQ (PowerShell) or sc query MSMQ (CMD)Check Version:
Get-WmiObject Win32_Service | Where-Object {$_.Name -eq 'MSMQ'} | Select-Object Name, State, StartModeVerify Fix Applied:
Verify July 2024 security updates are installed via Windows Update history or Get-HotFix -Id KB5035855 (example KB, check actual)📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with MSMQ process creation
- Unexpected MSMQ service restarts
- MSMQ error logs with memory access violations
Network Indicators:
- Unusual traffic to MSMQ ports (1801, 2103, 2105, 3527) from unexpected sources
- Large or malformed MSMQ packets
SIEM Query:
source="windows" AND (event_id=4688 AND process_name="*msmq*") OR (destination_port IN (1801, 2103, 2105, 3527) AND protocol="TCP/UDP")