CRITICALCVSS9.8

|CVE-2023-36911|Auth: none|Reboot: required|Manual only

KB5029250: Windows Server 2022 Security Update (August 2023)

A crafted MSMQ packet can give an attacker SYSTEM-level code execution on any Windows Server with MSMQ installed.

Published Aug 8, 2023 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach TCP 1801 can send a single crafted packet and execute code as SYSTEM. The companion CVE-2023-36910 shares the same MSMQ attack surface — patch both together.

How the attack works

MSMQ listens on TCP 1801 when installed. A flaw in how MSMQ validates incoming message structures lets a crafted packet corrupt memory in the MSMQ service process and execute code. This is one of two related MSMQ RCEs (with CVE-2023-36910) in the August 2023 patch cycle.

Am I affected?Quick check

Probably yes if any of these apply:

●Any Windows Server with the MSMQ feature installed

Affected OS versions

Windows Server 2022

Real-world incidentsWhat we've seen

An attacker scans a corporate network for TCP 1801, finds the servers, and triggers the MSMQ flaw on each unpatched host. Because MSMQ exploit development is amortised across the QueueJumper-and-after series of CVEs, working code is widely available.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5029250

Manual remediation steps

Check whether MSMQ is installed and exposed

Get-WindowsFeature -Name MSMQ* | Where-Object Installed
Get-NetTCPConnection -LocalPort 1801 -State Listen -ErrorAction SilentlyContinue

If MSMQ is not needed, removing the feature is the strongest mitigation.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5029250 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5029250

Download the MSU for Windows Server 2022 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5029250
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5029250 /quiet /norestart

Notes

This entry covers Windows Server 2022 specifically (KB5029250). Other Windows Server versions have their own KB for CVE-2023-36911.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36911 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-36911.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-36911 ↗ MSRC Advisory ↗ NVD ↗ KBKB5029250