Background
Microsoft Message Queuing (MSMQ) is a message queueing service built into Windows that enables applications to communicate asynchronously. It’s been part of Windows since Windows NT 4.0 and is still used in enterprise applications, particularly legacy systems, ERP integrations, and certain financial applications. MSMQ listens on TCP port 1801 and is not installed by default on modern Windows, but it’s widely present on servers running older enterprise applications.
CVE-2024-30080 was patched by Microsoft in June 2024. The vulnerability is a use-after-free in the MSMQ service that can be triggered by sending a specially crafted packet to port 1801 — no authentication required. Given MSMQ’s exposure profile (many enterprises have it enabled on internal servers without particular network restrictions), this is a significant vulnerability for lateral movement scenarios.
Technical Mechanism
The MSMQ service (mqsvc.exe) processes network messages received on TCP/UDP port 1801. The service handles various message types and operations related to message queue management.
The use-after-free vulnerability is in the MSMQ packet parsing code:
- The MSMQ service receives a specially crafted network packet
- During packet processing, an object is allocated and then freed while a reference to it still exists
- An attacker who can send subsequent network packets in a controlled manner can allocate a new object in the freed memory location with attacker-controlled content
- When MSMQ subsequently uses the stale reference, it accesses the attacker’s crafted data
- Through careful heap manipulation, this can be turned into arbitrary code execution in the context of mqsvc.exe (running as SYSTEM on Windows servers)
The attack is unauthenticated — any network-connected host can send packets to MSMQ on port 1801. No Windows credentials, no prior authentication, no session required.
Real-World Exploitation Evidence
CISA confirmed active exploitation when adding this to the KEV catalogue. The vulnerability was analysed by several security researchers following the June 2024 patch:
- Post-patch exploitation — active exploitation was confirmed after the patch was released, targeting organisations slow to apply the June 2024 updates
- Internal network exposure — unlike many internet-facing vulnerabilities, MSMQ is primarily an internal service; exploitation is typically in the context of lateral movement after initial access
- Enterprise targeting — MSMQ is predominantly found in enterprise environments running legacy applications; these organisations tend to be slower to patch
The combination of a SYSTEM-level RCE with no authentication on an internal service makes this particularly useful for an attacker who’s already inside the network and looking to escalate or move laterally.
Impact Assessment
- SYSTEM-level remote code execution — mqsvc.exe runs as SYSTEM
- No authentication required — any host that can reach port 1801 can exploit this
- Lateral movement — ideal for an attacker already on the internal network looking to compromise additional Windows servers
- Ransomware deployment — SYSTEM RCE on additional servers accelerates ransomware deployment
- Persistence — from SYSTEM, attackers can install services, modify startup items, and deploy kernel-level rootkits
- Active Directory attacks — SYSTEM on a domain-joined server enables Kerberoasting, credential dumping, and AD replication attacks
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Windows Server 2019 | Before June 2024 patches | KB5039217 |
| Windows Server 2022 | Before June 2024 patches | KB5039227 |
| Windows 10 (21H2, 22H2) | Before June 2024 patches (if MSMQ enabled) | KB5039211 |
| Windows 11 (all versions) | Before June 2024 patches (if MSMQ enabled) | KB5039212 |
Note: MSMQ must be installed and enabled for this vulnerability to be exploitable.
Remediation Steps
- Apply June 2024 Patch Tuesday updates immediately
- Audit which systems have MSMQ installed — it’s often enabled without awareness:
# Check if MSMQ is installed Get-WindowsFeature -Name MSMQ* | Where-Object {$_.InstallState -eq "Installed"} # Or check the service Get-Service -Name MSMQ -ErrorAction SilentlyContinue - If MSMQ is not required, disable and uninstall it:
Remove-WindowsFeature -Name MSMQ - If MSMQ is required, restrict access to port 1801 via Windows Firewall:
New-NetFirewallRule -DisplayName "Block MSMQ External" -Direction Inbound -Protocol TCP -LocalPort 1801 -RemoteAddress !<trusted-hosts> -Action Block - Segment MSMQ traffic — it should only be accessible from hosts that legitimately need to communicate with the message queue
- Monitor for unusual connections to port 1801
Detection Guidance
Network monitoring — baseline which hosts communicate on port 1801. Any new source attempting to connect to port 1801 should be investigated.
Windows Event Logs:
- Event ID 4688: Process creation from mqsvc.exe parent (shouldn’t happen normally)
- Event ID 7036: Service Control Manager — unexpected MSMQ service state changes
SIEM rule:
dest_port = 1801 AND
source_ip NOT IN (known_msmq_clients) AND
event_type = "network_connection"Suricata signature:
alert tcp any any -> $HOME_NET 1801 (msg:"MSMQ CVE-2024-30080 Potential Exploitation Attempt"; flow:established,to_server; dsize:>512; classtype:attempted-admin; sid:2034030; rev:1;)Service monitoring — alert if MSMQ is found running on hosts where it shouldn’t be; attackers sometimes install services as part of post-exploitation.
Timeline
| Date | Event |
|---|---|
| 11 June 2024 | Microsoft patches CVE-2024-30080 in June Patch Tuesday |
| June 2024 | Active exploitation begins post-patch on unpatched systems |
| June 2024 | CISA adds to Known Exploited Vulnerabilities catalogue |
| 2024 | Security researchers publish analysis of the use-after-free mechanism |