KB5025230: Windows Server 2022 Security Update (April 2023)
A single crafted packet to TCP port 1801 gives an attacker SYSTEM-level code execution on any Windows Server running MSMQ.
An attacker who can reach TCP 1801 on a Windows Server with MSMQ installed can send a single crafted packet and execute code as SYSTEM. No authentication, no user interaction. MSMQ is widely installed for legacy ERP, financial, and integration workloads, and is frequently left exposed inside corporate networks — and sometimes on the internet.
Microsoft Message Queuing (MSMQ) is a Windows messaging service used by line-of-business applications for asynchronous communication. When installed, MSMQ listens on TCP 1801. Multiple input-validation bugs in MSMQ's parser let an attacker increment internal pointers past the bounds of the message buffer, producing out-of-bounds writes and a use-after-free condition. The result is unauthenticated SYSTEM-level code execution.
Probably yes if any of these apply:
Affected OS versions
Researchers at Check Point scanned the internet at disclosure and found roughly 360,000 hosts exposing MSMQ on port 1801. Any of those exposed hosts could be compromised by a single packet, with no authentication. Inside corporate networks the exposure is wider still — MSMQ is installed by SCCM, Exchange (historically), and many third-party LOB applications, often without administrators realising it.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5025230Manual remediation steps
Check whether MSMQ is installed and exposed
MSMQ is sometimes installed by other software without administrators realising it. Check explicitly:
Get-WindowsFeature -Name MSMQ* | Where-Object Installed
Get-NetTCPConnection -LocalPort 1801 -State Listen -ErrorAction SilentlyContinue
If MSMQ is not needed, removing the feature is the strongest mitigation — patch is required regardless if the feature remains.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
Get-HotFix -Id KB5025230 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5025230)
Manual download (offline / air-gapped):
3. Reboot
Restart-Computer -Force
Verification
Get-HotFix -Id KB5025230
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5025230, the install did not take — re-run from a different channel.
Rollback
wusa.exe /uninstall /kb:5025230 /quiet /norestart
# Reboot after uninstall
Removing a cumulative update also removes every fix it delivered — prefer rolling forward.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.