MSMQ Use-After-Free — Pre-Auth Remote Code Execution Over Port 1801 (CVE-2024-30080)
A use-after-free in the Microsoft Message Queuing service allows an unauthenticated network attacker to execute arbitrary code by sending crafted MSMQ packets to TCP/1801. Apply the June 2024 cumulative update or remove the MSMQ feature where it is not actively used.
A network-positioned attacker who can reach TCP/1801 on an MSMQ-enabled server can execute arbitrary code as the service account (typically NETWORK SERVICE, with full Local System on some legacy roles). Many organisations leave MSMQ exposed on internal segments after the application that originally required it was retired, leaving a trivially exploitable path for lateral movement.
The MSMQ service handles incoming queue messages with a use-after-free bug that an attacker can trigger remotely. The service listens on TCP/1801 and is installed whenever the "Message Queuing" Windows feature is enabled — commonly added by legacy line-of-business apps, SQL Server Service Broker deployments, BizTalk, and many internal-facing automation systems. The Microsoft advisory rates exploitation "More Likely". Affected: Windows Server 2008 SP2 through Windows Server 2022, including Server Core installations, prior to the June 2024 Patch Tuesday.
Probably yes if any of these apply:
Affected OS versions
CVE-2024-30080 is the sequel to 2023's "QueueJumper" (CVE-2023-21554), which also targeted MSMQ. Within weeks of the June 2024 disclosure, multiple researchers published technical write-ups walking through the use-after-free chain; PoC code circulated on GitHub. Shodan and Censys both report tens of thousands of MSMQ endpoints exposed to the public internet at any given time, and the service is enormously over-deployed inside enterprise networks relative to the small number of applications that genuinely need it.
Manual remediation steps
⏱ 30–60 minutes including rebootDetect MSMQ exposure
# Check whether the Message Queuing feature is installed AND running:
Get-WindowsOptionalFeature -Online -FeatureName MSMQ-Server
Get-Service -Name MSMQ -ErrorAction SilentlyContinue
# Check whether TCP/1801 is reachable from where it should not be:
Test-NetConnection -ComputerName <server> -Port 1801
Preferred mitigation — uninstall MSMQ if not actively used
# Uninstall the Message Queuing feature entirely:
Disable-WindowsOptionalFeature -Online -FeatureName MSMQ-Server -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName MSMQ -NoRestart
Restart-Computer
Temporary network mitigation
# Block inbound TCP/1801 at the host firewall except from known queue clients:
New-NetFirewallRule -DisplayName "Block inbound MSMQ except trusted" `
-Direction Inbound -Action Block -Protocol TCP -LocalPort 1801
Apply the June 2024 cumulative update
CVE-2024-30080 to find the current superseding cumulative for your OSVerify
# Confirm the build number is at or above the June 2024 patch level for your OS,
# then confirm the patched MSMQ binary is loaded:
Get-Item C:\Windows\System32\mqqm.dll | Select-Object VersionInfo
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References