Microsoft has released security updates for a critical vulnerability affecting multiple products, including Windows Server and Azure services. The vulnerability allows for remote code execution with no user interaction required.
Microsoft has issued security updates for a critical vulnerability affecting multiple products. The vulnerability, tracked as CVE-2026-45940, has a CVSS score of 9.8 and allows for remote code execution.
The vulnerability exists in the Microsoft Message Queuing (MSMQ) service. Attackers can exploit this vulnerability without authentication to execute arbitrary code with system privileges. No user interaction is required for successful exploitation.
Affected products include:
- Windows Server 2022 (all editions)
- Windows Server 2019 (all editions)
- Windows Server 2016 (all editions)
- Azure Service Fabric versions 8.0 to 8.7
- Azure Stack Hub version 2102
Microsoft has released security updates as part of the December 2023 Security Updates. The updates address the vulnerability by modifying how MSMQ handles incoming messages.
Organizations should apply these updates immediately. Systems that cannot be patched immediately should implement network segmentation to limit exposure. Microsoft also recommends enabling enhanced logging for MSMQ services.
The vulnerability was discovered by security researchers at Conti Security Team in October 2023. Microsoft has acknowledged the responsible disclosure and credited the researchers for their work.
For detailed information on the vulnerability, refer to the Microsoft Security Advisory. The advisory includes deployment guidance and workarounds for systems that cannot be patched immediately.
This vulnerability underscores the critical importance of timely patching for enterprise systems. Organizations should review their patch management processes to ensure rapid deployment of security updates.
Comments
Please log in or register to join the discussion