CVE-2025-21270 Overview
CVE-2025-21270 is a denial of service vulnerability in the Microsoft Message Queuing (MSMQ) service. A remote, unauthenticated attacker can send crafted network traffic to an exposed MSMQ endpoint and disrupt availability of the targeted Windows host. The flaw is categorized under [CWE-400] uncontrolled resource consumption and affects a broad range of Windows client and server releases, including Windows 10, Windows 11, and Windows Server 2008 through Windows Server 2025. Microsoft addressed the issue as part of the January 2025 Patch Tuesday cycle.
Critical Impact
Remote, unauthenticated attackers can disrupt MSMQ service availability on any Windows host with the MSMQ feature enabled and reachable over the network.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-01-14 - CVE-2025-21270 published to NVD
- 2025-01-27 - Last updated in NVD database
Technical Details for CVE-2025-21270
Vulnerability Analysis
The vulnerability resides in the Microsoft Message Queuing service, which listens on TCP port 1801 by default. MSMQ accepts and parses inbound message frames from remote clients without requiring authentication when the service is exposed. A malformed or specifically crafted request triggers an uncontrolled resource consumption condition inside the service. The result is service unavailability on the targeted host. The flaw does not impact confidentiality or integrity, only availability.
Root Cause
The root cause is improper handling of attacker-controlled input within MSMQ message processing, mapped to [CWE-400]. The service fails to constrain resource use when handling abnormal or malformed protocol data. Microsoft has not published low-level technical details. See the Microsoft Security Update CVE-2025-21270 advisory for vendor guidance.
Attack Vector
Exploitation requires only network access to the MSMQ listener. No privileges and no user interaction are required. Attackers send a crafted MSMQ protocol message to TCP 1801 on a vulnerable host. Successful exploitation crashes or hangs the service, denying message queue processing to dependent applications. EPSS data places the exploitation probability at 1.314% (79.9 percentile), indicating elevated relative interest compared to most CVEs.
The vulnerability has not been observed exploited in the wild and is not listed in the CISA Known Exploited Vulnerabilities catalog. No public proof-of-concept exploit has been released. Refer to vendor documentation for protocol-level details.
Detection Methods for CVE-2025-21270
Indicators of Compromise
- Unexpected termination or restart of the MSMQ (Message Queuing) service in the Windows Service Control Manager event log.
- Inbound connections to TCP port 1801 from untrusted or external sources.
- Application Event Log errors from MSMQ components such as MSMQ-Driver or MSMQ-Server.
Detection Strategies
- Monitor Windows Event Logs for MSMQ service crashes, faulting modules, and abnormal restart frequency on hosts running the Message Queuing role.
- Inspect network telemetry for malformed MSMQ binary protocol traffic targeting TCP 1801 from outside trusted application tiers.
- Correlate spikes in connection attempts to the MSMQ port with subsequent service stop events to detect exploitation attempts.
Monitoring Recommendations
- Enable detailed service-state logging and forward Windows Application and System logs to a centralized SIEM for correlation.
- Track which hosts have the MSMQ feature installed using inventory queries against the MSMQ Windows Optional Feature.
- Alert on any external-facing host exposing TCP 1801, since MSMQ should rarely be reachable from untrusted networks.
How to Mitigate CVE-2025-21270
Immediate Actions Required
- Apply the January 2025 Microsoft security updates to all affected Windows client and server systems.
- Audit hosts for the Message Queuing feature and disable it on systems that do not require MSMQ.
- Restrict inbound access to TCP port 1801 using host-based and perimeter firewalls.
Patch Information
Microsoft published fixes through the January 2025 update cycle. Refer to the Microsoft Security Update CVE-2025-21270 advisory for the specific KB articles applicable to each Windows version. Patching is the recommended remediation, as no vendor-supplied configuration workaround is currently documented.
Workarounds
- Disable the Message Queuing Windows feature on hosts that do not require it: Disable-WindowsOptionalFeature -Online -FeatureName MSMQ-Server.
- Block TCP port 1801 at the network perimeter and on host firewalls where MSMQ is required only for internal traffic.
- Segment MSMQ-dependent applications onto isolated networks accessible only by trusted application servers.
# Configuration example: block external MSMQ traffic via Windows Firewall
New-NetFirewallRule -DisplayName "Block MSMQ Inbound 1801" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 1801 `
-RemoteAddress Any `
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
