IRONSMITHINTEL
CRITICALCVSS9.8
|CVE-2023-36911|Auth: none|Reboot: required|Manual only

KB5029312: Windows Server 2012 R2 Security Update (August 2023)

A crafted MSMQ packet can give an attacker SYSTEM-level code execution on any Windows Server with MSMQ installed.

Published Aug 8, 2023 · Updated May 21, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who can reach TCP 1801 can send a single crafted packet and execute code as SYSTEM. The companion CVE-2023-36910 shares the same MSMQ attack surface — patch both together.

How the attack works

MSMQ listens on TCP 1801 when installed. A flaw in how MSMQ validates incoming message structures lets a crafted packet corrupt memory in the MSMQ service process and execute code. This is one of two related MSMQ RCEs (with CVE-2023-36910) in the August 2023 patch cycle.

Am I affected?Quick check

Probably yes if any of these apply:

Any Windows Server with the MSMQ feature installed

Affected OS versions

Windows Server 2012 R2
Real-world incidentsWhat we've seen

An attacker scans a corporate network for TCP 1801, finds the servers, and triggers the MSMQ flaw on each unpatched host. Because MSMQ exploit development is amortised across the QueueJumper-and-after series of CVEs, working code is widely available.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5029312

Manual remediation steps

Check whether MSMQ is installed and exposed

Get-WindowsFeature -Name MSMQ* | Where-Object Installed
Get-NetTCPConnection -LocalPort 1801 -State Listen -ErrorAction SilentlyContinue

If MSMQ is not needed, removing the feature is the strongest mitigation.

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5029312 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5029312
2
Download the MSU for Windows Server 2012 R2 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5029312
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5029312 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2012 R2 specifically (KB5029312). Other Windows Server versions have their own KB for CVE-2023-36911.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36911 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-36911.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-36911MSRC AdvisoryNVDKBKB5029312