CVE-2024-49096 Overview
CVE-2024-49096 is a denial of service vulnerability in Microsoft Message Queuing (MSMQ). The flaw affects supported versions of Windows 10, Windows 11, and Windows Server from Server 2008 through Server 2025. An unauthenticated attacker can send crafted network traffic to a system running the MSMQ service and exhaust resources, causing the service to become unavailable. The vulnerability is tracked under [CWE-400] Uncontrolled Resource Consumption and requires no user interaction or privileges to exploit.
Critical Impact
Remote, unauthenticated attackers can disrupt availability of the MSMQ service on affected Windows systems, impacting any application that relies on message queuing for inter-process or distributed communication.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2024-12-12 - CVE-2024-49096 published to NVD by Microsoft
- 2025-01-08 - Last updated in NVD database
Technical Details for CVE-2024-49096
Vulnerability Analysis
The vulnerability resides in the Microsoft Message Queuing service, a Windows component that enables applications running at different times to communicate across heterogeneous networks. MSMQ listens on TCP port 1801 by default when installed and enabled. Crafted messages sent to this listener trigger uncontrolled resource consumption inside the service, classified under [CWE-400]. The result is a denial of service condition that disrupts message queue availability without compromising confidentiality or integrity of stored data. According to the EPSS model, this vulnerability sits in the top tier of likelihood-of-exploitation predictions for the affected window, indicating elevated attention from the research community.
Root Cause
The root cause is improper handling of resource allocation when processing inbound MSMQ protocol traffic. The service does not adequately constrain memory, handles, or processing time associated with malformed or abusive message sequences. Because MSMQ is implemented as a Windows service running with elevated privileges, exhausting its resources halts queue operations for every dependent application on the host.
Attack Vector
The attack vector is network-based. An attacker requires reachability to the MSMQ listener but no credentials, no user interaction, and no prior foothold. Any Windows host with the MSMQ feature enabled and TCP 1801 exposed to untrusted networks is reachable. Public-facing servers and internal hosts in flat network segments are at highest risk. No public proof-of-concept code or in-the-wild exploitation has been documented as of publication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified public exploit code is available for CVE-2024-49096. Technical specifics on the offending protocol parser are not disclosed in the Microsoft Security Update Guide.
Detection Methods for CVE-2024-49096
Indicators of Compromise
- Repeated crashes or restarts of the MSMQ service (mqsvc.exe) recorded in the Windows System event log.
- Spikes in inbound TCP 1801 connections from a single source or small set of sources.
- Sudden increases in memory or handle counts for mqsvc.exe followed by service termination.
- Application errors from queue-dependent software reporting unreachable or unresponsive queues.
Detection Strategies
- Monitor Windows Service Control Manager events 7031 and 7034 for unexpected MSMQ service failures.
- Alert on anomalous traffic volume to TCP 1801, particularly from unauthenticated or external sources.
- Track process performance counters for mqsvc.exe to baseline normal resource use and flag deviations.
- Correlate MSMQ service restarts with concurrent network telemetry to identify exploitation attempts.
Monitoring Recommendations
- Centralize Windows event logs and mqsvc.exe performance counters in a SIEM for correlation across hosts.
- Maintain an inventory of systems with the MSMQ feature installed and prioritize those with TCP 1801 exposed.
- Review firewall and IDS logs for inbound MSMQ protocol traffic originating from outside trusted zones.
How to Mitigate CVE-2024-49096
Immediate Actions Required
- Apply the December 2024 Microsoft security updates that address CVE-2024-49096 on all affected Windows client and server systems.
- Identify every host with the MSMQ feature enabled by querying Windows optional features and prioritize patch deployment.
- Block inbound TCP 1801 at the network perimeter and restrict it to authorized internal sources only.
- Disable the MSMQ feature on hosts where it is not in active use.
Patch Information
Microsoft released fixes for CVE-2024-49096 as part of the December 2024 Patch Tuesday cycle. Refer to the Microsoft Security Update Guide for the specific KB article and build numbers that correspond to each affected Windows version. Cumulative updates supersede earlier packages, so installing the latest cumulative update for the platform applies the fix.
Workarounds
- Uninstall the Message Queuing Windows feature where the service is not required for business operations.
- Restrict TCP 1801 ingress at host-based and perimeter firewalls to known message queue clients only.
- Place MSMQ servers behind network segmentation that limits exposure to authenticated internal systems.
- Stop and disable the MSMQ service on hosts pending patch deployment if the feature cannot be removed.
# Check whether the MSMQ feature is installed and disable it if unused
Get-WindowsOptionalFeature -Online -FeatureName MSMQ-Server
Disable-WindowsOptionalFeature -Online -FeatureName MSMQ-Server -NoRestart
# Block inbound TCP 1801 at the host firewall
New-NetFirewallRule -DisplayName "Block MSMQ 1801 Inbound" -Direction Inbound -Protocol TCP -LocalPort 1801 -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
