QueueJumper: Jumping the Line Straight to SYSTEM (CVE-2023-21554)
Vulnerability ID: CVE-2023-21554
CVSS Score: 9.8
Published: 2023-04-11
A critical Remote Code Execution vulnerability in the legacy Microsoft Message Queuing (MSMQ) service allows unauthenticated attackers to execute arbitrary code by sending malformed packets to TCP port 1801.
TL;DR
If you have the 'Microsoft Message Queuing' service enabled (check port 1801), you are vulnerable to a pre-auth RCE. By sending a crafted packet with a manipulated section header, an attacker can trick the service into writing data outside of its allocated buffer, leading to immediate code execution as the Network Service account. Patch or disable the service immediately.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-20
- Attack Vector: Network (TCP 1801)
- CVSS Score: 9.8 (Critical)
- EPSS Score: 0.92162
- Impact: Remote Code Execution (System/Network Service)
- Exploit Status: PoC Available
- KEV Status: Not Listed
Affected Systems
- Windows 10 (Version 1507 to 22H2)
- Windows 11 (Version 21H2, 22H2)
- Windows Server 2008 R2
- Windows Server 2012 / 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
-
Windows 10: 1507 - 22H2 (Fixed in:
April 2023 Patch) -
Windows Server: 2008 - 2022 (Fixed in:
April 2023 Patch)
Exploit Details
- GitHub: Proof of concept for crashing MSMQ service (DoS)
- Metasploit: Metasploit auxiliary scanner module
Mitigation Strategies
- Disable the 'Microsoft Message Queuing' service if not explicitly needed.
- Block TCP port 1801 at the network perimeter and host firewall.
- Implement network segmentation to prevent lateral movement via MSMQ.
Remediation Steps:
- Identify vulnerable hosts using Nmap or PowerShell (check for port 1801).
- Apply the April 2023 Cumulative Update from Microsoft.
- Verify the service version of mqqm.dll has been updated.
References
Read the full report for CVE-2023-21554 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)