KB5028228: Windows Server 2012 R2 Security Update (July 2023)
A crafted packet to TCP port 1801 on a Windows Server with MSMQ installed can give an attacker SYSTEM-level code execution.
An attacker who can reach TCP 1801 on a Windows Server with MSMQ installed can send a single crafted packet and execute code in the MSMQ service context (typically Network Service or SYSTEM). No authentication, no user interaction. Internet-exposed MSMQ hosts at QueueJumper disclosure numbered ~360,000 — internal exposure is far higher because MSMQ is installed by many enterprise applications without administrators realising it.
Microsoft Message Queuing (MSMQ) is a Windows messaging service used by line-of-business applications for asynchronous communication. When installed, MSMQ listens on TCP 1801. A flaw in how the MSMQ packet parser validates incoming messages lets an attacker craft a packet that corrupts memory inside the MSMQ service process (mqsvc.exe), leading to unauthenticated remote code execution.
Probably yes if any of these apply:
Affected OS versions
A penetration tester scanning a corporate network finds half a dozen servers listening on TCP 1801 — none of which the IT team knew were running MSMQ. The CVE's exploit-development effort is amortised across multiple companion CVEs in the same parser, so working code is widely available. One crafted packet per host gives the tester SYSTEM on each. Internal MSMQ exposure is one of the most under-tracked attack surfaces in modern Windows environments.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5028228Manual remediation steps
Check whether MSMQ is installed and exposed
MSMQ is sometimes installed by other software without administrators realising it. Check explicitly:
Get-WindowsFeature -Name MSMQ* | Where-Object Installed
Get-NetTCPConnection -LocalPort 1801 -State Listen -ErrorAction SilentlyContinue
If MSMQ is not needed, removing the feature is the strongest mitigation — patch is required regardless if the feature remains.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
Get-HotFix -Id KB5028228 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5028228)
Manual download (offline / air-gapped):
3. Reboot
Restart-Computer -Force
Verification
Get-HotFix -Id KB5028228
[System.Environment]::OSVersion.Version
Rollback
wusa.exe /uninstall /kb:5028228 /quiet /norestart
# Reboot after uninstall
Removing a cumulative update also removes every fix it delivered — prefer rolling forward.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.