CVE-2023-21769
Published: 11 April 2023
Summary
CVE-2023-21769 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Microsoft Message Queuing (MSMQ) contains a denial-of-service vulnerability tracked as CVE-2023-21769. The flaw is present in the MSMQ component on supported Windows systems and carries a CVSS 3.1 base score of 7.5, reflecting a network-accessible attack that requires no authentication or user interaction and produces a high impact on availability. The associated weakness identifiers are CWE-125 and NVD-CWE-noinfo.
An unauthenticated remote attacker can send specially crafted network messages to an MSMQ endpoint, triggering the flaw and causing the affected service to stop responding. Successful exploitation therefore allows an adversary to interrupt message-queuing operations without needing credentials or prior access to the target system.
Microsoft published an advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21769 that details the affected versions and the corresponding security update. The current EPSS score of 0.4799, with a recorded peak of 0.5102, indicates moderate but not sharply increasing public interest in exploitation since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-25936
Vulnerability details
Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.