KB5027225: Windows Server 2022 Security Update (June 2023)
A crafted multicast packet to a Windows Server with MSMQ's PGM transport in use can give an attacker SYSTEM-level code execution with no credentials.
An attacker on the same network as a server with MSMQ and PGM in use can send a crafted multicast packet that triggers the bug and runs code with the privileges of the MSMQ service — typically Network Service or SYSTEM. No credentials, no user interaction. The attack works as long as the attacker can deliver multicast packets to the vulnerable host.
Pragmatic General Multicast (PGM) is the reliable-multicast protocol Microsoft Message Queuing (MSMQ) uses when an application wants to deliver the same message to many receivers at once. The PGM transport runs inside the MSMQ service (mqsvc.exe / rmcast.sys). An integer-underflow input-validation flaw in the PGM packet handler lets an attacker send specially crafted multicast traffic and corrupt memory, leading to remote code execution. The vulnerable code path is only reachable when MSMQ is installed and an application has opened a PGM socket.
Probably yes if any of these apply:
Affected OS versions
A ransomware operator finds a corporate file server inside a flat network that has MSMQ installed for a legacy line-of-business app. The application uses PGM multicast for fan-out delivery. One unauthenticated multicast packet later, the attacker has code running as the MSMQ service. The PGM family of CVEs is particularly attractive to attackers because most administrators do not know which of their servers actually have PGM enabled.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5027225Manual remediation steps
Decide if you need to patch
The Pragmatic General Multicast (PGM) attack surface is only present when MSMQ is installed and the PGM transport is in use. PGM is not a default Windows configuration. Run:
Get-WindowsFeature -Name MSMQ* | Where-Object Installed
Get-NetTCPConnection -LocalPort 1801 -State Listen -ErrorAction SilentlyContinue
If MSMQ is not installed, this CVE is not reachable on this server. Patch on the standard cadence regardless.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
Get-HotFix -Id KB5027225 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5027225)
Manual download (offline / air-gapped):
3. Reboot
Restart-Computer -Force
Verification
Get-HotFix -Id KB5027225
[System.Environment]::OSVersion.Version
Rollback
wusa.exe /uninstall /kb:5027225 /quiet /norestart
# Reboot after uninstall
Removing a cumulative update also removes every fix it delivered — prefer rolling forward.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.