CVE-2025-53144
Published: 12 August 2025
Summary
CVE-2025-53144 is a high-severity Type Confusion (CWE-843) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a type confusion flaw (CWE-843) in Windows Message Queuing that permits an authorized attacker to execute code over a network. It carries a CVSS 3.1 score of 8.8 and was published on 2025-08-12.
An attacker with valid credentials can reach the affected component remotely with low attack complexity and no user interaction, resulting in full compromise of confidentiality, integrity, and availability on the target system.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53144 addresses the issue. The EPSS score has remained flat at 0.2284 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24323
Vulnerability details
Access of resource using incompatible type ('type confusion') in Windows Message Queuing allows an authorized attacker to execute code over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in MSMQ directly enables remote code execution against a network-accessible Windows service (T1190/T1210).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the type confusion vulnerability by requiring timely identification, reporting, and correction through patching as provided by Microsoft.
Prevents exploitation by configuring systems to disable unnecessary functionality like Windows Message Queuing when not required, eliminating the attack surface.
Limits network exposure of the Message Queuing service by enforcing boundary protections such as firewalls to restrict remote access despite low-privilege requirements.