CRITICALCVSS9.8

|CVE-2023-36910|Auth: none|Reboot: required|Manual only

KB5029247: Windows Server 2019 Security Update (August 2023)

A crafted MSMQ message can give an attacker SYSTEM-level code execution on any Windows Server with MSMQ installed.

Published Aug 8, 2023 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach TCP 1801 on a Windows Server with MSMQ installed can send a single crafted message that triggers the integer overflow and runs code as SYSTEM. No credentials, no user interaction.

How the attack works

MSMQ listens on TCP 1801 when installed. An integer overflow in MSMQ's message-processing logic causes the service to allocate too small a buffer for a crafted message with manipulated size parameters; the subsequent copy overflows the buffer and corrupts memory, leading to code execution as the MSMQ service.

Am I affected?Quick check

Probably yes if any of these apply:

●Any Windows Server with the MSMQ feature installed

Affected OS versions

Windows Server 2019

Real-world incidentsWhat we've seen

A penetration tester finds an internal Windows Server with MSMQ listening on 1801 — installed years ago for a since-decommissioned application. One crafted message later, the tester has SYSTEM. MSMQ continues to be one of the highest-yield "forgotten attack surface" finds in modern Windows networks.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5029247

Manual remediation steps

Check whether MSMQ is installed and exposed

Get-WindowsFeature -Name MSMQ* | Where-Object Installed
Get-NetTCPConnection -LocalPort 1801 -State Listen -ErrorAction SilentlyContinue

If MSMQ is not needed, removing the feature is the strongest mitigation.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5029247 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5029247

Download the MSU for Windows Server 2019 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5029247
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5029247 /quiet /norestart

Notes

This entry covers Windows Server 2019 specifically (KB5029247). Other Windows Server versions have their own KB for CVE-2023-36910.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36910 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-36910.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-36910 ↗ MSRC Advisory ↗ NVD ↗ KBKB5029247