Cyber Resilience

CVE-2023-21769

High

Published: 11 April 2023

Published
11 April 2023
Modified
01 January 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.4799 97.8th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-21769 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft Message Queuing (MSMQ) contains a denial-of-service vulnerability tracked as CVE-2023-21769. The flaw is present in the MSMQ component on supported Windows systems and carries a CVSS 3.1 base score of 7.5, reflecting a network-accessible attack that requires no authentication or user interaction and produces a high impact on availability. The associated weakness identifiers are CWE-125 and NVD-CWE-noinfo.

An unauthenticated remote attacker can send specially crafted network messages to an MSMQ endpoint, triggering the flaw and causing the affected service to stop responding. Successful exploitation therefore allows an adversary to interrupt message-queuing operations without needing credentials or prior access to the target system.

Microsoft published an advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21769 that details the affected versions and the corresponding security update. The current EPSS score of 0.4799, with a recorded peak of 0.5102, indicates moderate but not sharply increasing public interest in exploitation since disclosure.

EU & UK References

Vulnerability details

Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.5850
microsoft
windows 10 1809
≤ 10.0.17763.4252
microsoft
windows 10 20h2
≤ 10.0.19042.2846
microsoft
windows 10 21h2
≤ 10.0.19044.2846
microsoft
windows 10 22h2
≤ 10.0.19045.2846
microsoft
windows 11 21h2
≤ 10.0.22000.1817
microsoft
windows 11 22h2
≤ 10.0.22621.1555
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
all versions
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References