Microsoft Patches MSMQ Flaw That Affects IIS Web Servers
Microsoft has issued an emergency security update to fix a critical vulnerability in the Message Queuing (MSMQ) feature, which affects Windows 10 systems that run IIS web servers and are used in enterprise environments.
The vulnerability, which was identified and documented in the December 9, 2025 update (KB5071546), impacts Windows 10 versions 22H2 and 21H2.
The Vulnerability
The MSMQ bug causes significant operational disruptions, particularly in clustered MSMQ environments that experience high traffic.
Organizations affected by this vulnerability have reported several critical symptoms, including inactive message queues, insufficient resource errors, and applications being unable to write to message queues.
The vulnerability manifests through various error conditions that severely disrupt IT operations.
Users have reported receiving error messages indicating insufficient disk space or memory, even when system resources are available.
The Message Queue service fails to create new messages, resulting in application failures and service interruptions.
These issues are particularly severe in enterprise and managed IT environments where MSMQ handles large volumes of messages across distributed systems.
Notably, Microsoft has confirmed that users of Windows Home and Pro editions running personal devices are unlikely to encounter this issue.
The vulnerability primarily poses a threat to enterprise-class deployments where MSMQ is a critical infrastructure component for application messaging and queue management.
The out-of-band patch directly addresses the MSMQ functionality failures that occurred after the December 9, 2025 updates.
System administrators must apply KB5015684 to upgrade to Windows 10 version 22H2, which includes the MSMQ fix along with other quality improvements.
Users who have previously installed updates will automatically receive only the new updates contained within this package.
Microsoft continues to monitor for additional MSMQ-related issues and provides updated guidance through the Windows release health dashboard.
For comprehensive security information, administrators should consult the Security Update Guide and December 2025 Security Updates documentation published on Microsoft’s official channels.