Description
Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
Published: 2025-12-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

This vulnerability arises from improper input validation within Windows Message Queuing. An attacker who is already authorized on a host can supply crafted input that bypasses validation checks, enabling them to elevate their local privileges. The primary consequence is that a user with limited rights can gain higher authority, potentially compromising the entire system. The weakness corresponds to CWE‑20, which covers improper input validation.

Affected Systems

The affected operating systems include Windows 10 from versions 1607 through 22H2 and several Windows Server releases: Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. All listed editions, including server core installations where applicable, are impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the very low EPSS (< 1 %) suggests that exploitation is unlikely in the wild at this time. Because the vulnerability requires an authorized local attacker, it is not detectable through remote exploits. The attack vector is local and would generally require the attacker to be on the target machine or have some pre‑existing user privileges. Given its absence from the KEV catalog, there is currently no known mass exploitation campaign targeting this flaw, but the impact remains significant if an attacker gains the necessary foothold.

Generated by OpenCVE AI on April 20, 2026 at 16:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Windows Message Queuing to the latest security release available through Microsoft’s update guide
  • If MSMQ is not essential for business operations, stop or uninstall the service to remove the attack surface
  • Configure the local firewall and account permissions to restrict which users can interact with MSMQ, applying the principle of least privilege

Generated by OpenCVE AI on April 20, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2008
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2008

Tue, 09 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
Title Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2008 R2
Microsoft windows Server 2008 Sp2
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Weaknesses CWE-20
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2008 R2
Microsoft windows Server 2008 Sp2
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2008 Sp2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:43.704Z

Reserved: 2025-10-14T18:24:58.483Z

Link: CVE-2025-62455

cve-icon Vulnrichment

Updated: 2025-12-09T20:15:38.556Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:15:56.967

Modified: 2025-12-12T20:02:25.350

Link: CVE-2025-62455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:15:11Z

Weaknesses