CVE-2025-21289
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows attackers to cause a denial of service by sending specially crafted packets to vulnerable systems. It affects Windows servers and workstations running MSMQ services. Successful exploitation could crash the MSMQ service, disrupting message processing capabilities.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of MSMQ services leading to application failures, business process interruptions, and potential cascading effects on dependent systems.
Likely Case
MSMQ service crashes requiring manual restart, causing temporary message processing delays and potential data loss for in-transit messages.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and service restoration.
🎯 Exploit Status
Exploitation requires network access to MSMQ service port (typically TCP 1801). No authentication required to trigger the DoS condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest Windows security updates from Microsoft
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21289
Restart Required: Yes
Instructions:
1. Apply Windows security updates from Microsoft Update or WSUS. 2. Restart affected systems to complete installation. 3. Verify MSMQ service is running normally after restart.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable MSMQ service if not required for business operations
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
windowsRestrict network access to MSMQ service ports using firewall rules
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MSMQ servers from untrusted networks
- Deploy network monitoring and intrusion detection for MSMQ traffic anomalies
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is installed and running: Get-WindowsFeature MSMQ* (PowerShell) or sc query MSMQCheck Version:
wmic qfe list | findstr /C:"CVE-2025-21289" or Get-HotFix | Where-Object {$_.HotFixID -match "KB"}Verify Fix Applied:
Verify Windows Update history contains the security patch and MSMQ service version matches patched release📡 Detection & Monitoring
Log Indicators:
- MSMQ service crash events in Windows System logs (Event ID 7031, 7034)
- Unexpected MSMQ service restarts
- High volume of connection attempts to port 1801
Network Indicators:
- Unusual traffic patterns to MSMQ port 1801
- Malformed MSMQ protocol packets
- Multiple connection attempts from single sources
SIEM Query:
EventID=7031 OR EventID=7034 AND ServiceName="MSMQ" | stats count by SourceIP, DestinationIP