CVE-2025-53145 Overview
CVE-2025-53145 is a type confusion vulnerability [CWE-843] in the Microsoft Message Queuing (MSMQ) service. The flaw lets an authorized attacker execute arbitrary code over the network by sending crafted MSMQ traffic that causes the service to access a resource using an incompatible type. The issue affects a wide range of Windows client and server releases, from Windows 10 1507 through Windows 11 24H2 and Windows Server 2008 through Windows Server 2025. Microsoft published the advisory on August 12, 2025 and the National Vulnerability Database last updated the entry on August 18, 2025.
Critical Impact
An authenticated network attacker can achieve remote code execution in the context of the MSMQ service, compromising confidentiality, integrity, and availability of affected Windows hosts.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2) and Windows 11 (22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
- Microsoft Windows Server 2022, 2022 23H2, and Windows Server 2025
Discovery Timeline
- 2025-08-12 - CVE-2025-53145 published to NVD with Microsoft advisory release
- 2025-08-18 - Last updated in NVD database
Technical Details for CVE-2025-53145
Vulnerability Analysis
The vulnerability resides in the Windows Message Queuing service (mqsvc.exe), which processes inbound MSMQ messages over TCP port 1801 and related ports. The service interprets the type of an internal object incorrectly, allowing one type to be operated on as if it were another. This type confusion enables an attacker to manipulate memory layout, corrupt object pointers, or invoke unintended virtual methods.
Successful exploitation grants code execution in the MSMQ service context, which typically runs with NETWORK SERVICE privileges. The advisory requires that the attacker hold low-privilege authenticated access on the network, but no user interaction is needed at the target. The combination of network reachability and post-exploitation impact across confidentiality, integrity, and availability makes this a priority patching candidate for any host running MSMQ.
Root Cause
The root cause is improper validation of object type information when MSMQ deserializes or routes inbound message structures. The service treats a memory region as one object type while it actually represents another, leading to invalid pointer dereferences and controllable memory operations. CWE-843 vulnerabilities of this class commonly enable attackers to convert a parsing flaw into arbitrary code execution.
Attack Vector
An attacker with valid network credentials sends a crafted sequence of MSMQ protocol messages to an exposed queuing endpoint. The malformed payload triggers the mismatched type interpretation inside MSMQ, hijacking control flow within the service process. Because MSMQ is often enabled on application servers, domain members, and middleware hosts, exploitation can be used to pivot within an enterprise network.
No public proof-of-concept code or in-the-wild exploitation has been confirmed at the time of writing. However, the EPSS score of 11.075% (93rd percentile) indicates an elevated likelihood of exploit development relative to most CVEs.
Detection Methods for CVE-2025-53145
Indicators of Compromise
- Unexpected child processes spawned by mqsvc.exe, particularly cmd.exe, powershell.exe, or rundll32.exe.
- Crashes, access violations, or restarts of the Message Queuing service recorded in the System or Application event logs.
- Inbound TCP connections to port 1801 from unexpected internal or external sources.
Detection Strategies
- Hunt for anomalous parent-child process relationships where mqsvc.exe initiates code execution or scripting interpreters.
- Inspect MSMQ memory for signs of object corruption such as repeated heap allocations of unusual sizes immediately preceding service crashes.
- Correlate authentication events with subsequent MSMQ traffic to flag low-privilege accounts touching queueing infrastructure they do not normally use.
Monitoring Recommendations
- Enable Windows Event Forwarding for MSMQ-related events and centralize them in a SIEM for correlation.
- Monitor network telemetry for TCP/1801 traffic crossing trust boundaries or originating from non-application subnets.
- Track patch state for the August 2025 Microsoft security update across the Windows fleet and alert on missing or rolled-back patches.
How to Mitigate CVE-2025-53145
Immediate Actions Required
- Apply the Microsoft August 2025 security updates referenced in the Microsoft Security Update CVE-2025-53145 advisory to all affected Windows versions.
- Inventory hosts running the Message Queuing service and prioritize patching for any system exposing TCP/1801 to untrusted networks.
- Restrict inbound access to MSMQ ports at the host firewall and network perimeter until patches are confirmed deployed.
Patch Information
Microsoft released cumulative updates addressing CVE-2025-53145 across all supported Windows client and server SKUs on August 12, 2025. Refer to the Microsoft Security Update CVE-2025-53145 advisory for the specific KB article that maps to each Windows build. Legacy releases such as Windows Server 2008 and 2008 R2 require Extended Security Updates (ESU) to receive the fix.
Workarounds
- Disable the Message Queuing service on hosts that do not require it by setting the MSMQ service startup type to Disabled and stopping the service.
- Block TCP port 1801 and other MSMQ ports (TCP/2101, 2103, 2105 and UDP/3527, 1801) at host and network firewalls where the role is not used.
- Segment MSMQ-dependent application servers into restricted network zones that only accept traffic from known message producers and consumers.
# Check if Message Queuing is installed and running, then disable if unneeded
Get-WindowsFeature -Name MSMQ*
Get-Service -Name MSMQ -ErrorAction SilentlyContinue
Stop-Service -Name MSMQ -Force
Set-Service -Name MSMQ -StartupType Disabled
# Block inbound MSMQ TCP/1801 at the Windows firewall
New-NetFirewallRule -DisplayName "Block MSMQ 1801 Inbound" `
-Direction Inbound -Protocol TCP -LocalPort 1801 -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
