Port 1801: MSMQ — The Message That Waits

What This Port Does

Port 1801 carries Microsoft Message Queuing (MSMQ) traffic — both TCP and UDP. When MSMQ is installed on a Windows machine, it listens on this port for direct queue-to-queue communication with other Windows systems.

MSMQ is a store-and-forward messaging service. When an application sends a message to a queue, MSMQ holds it until the destination is reachable, then delivers it. The network can drop. The destination can go offline. The message will wait.

The Problem It Solved

In 1997, Microsoft was watching enterprises wire together distributed applications across unreliable WANs. A sale recorded in Chicago needed to reach inventory in Dallas. If the connection dropped mid-transaction, what happened to the data?

MSMQ answered that question: the message lives in a durable queue on disk, survives reboots, and gets delivered exactly once when the connection returns. No message lost, no duplicate orders, no corrupted state.

It was a real solution to a real problem. Large enterprises — airlines, banks, hospitals — built critical workflows on top of it.¹

The Registered Port

Port 1801 is a registered port (range 1024–49151). These ports are assigned by IANA to specific services based on vendor requests, but they aren't reserved with the same force as well-known ports (0–1023). Any process can open them; the registration is a coordination mechanism, not a guarantee.

IANA lists port 1801 as assigned to MSMQ for both TCP and UDP.²

The Problem Nobody Noticed

MSMQ ships as an optional Windows component, but for years it was installed by default alongside various Microsoft server products — Exchange, SQL Server, some BizTalk configurations. System administrators enabled it for one application and never thought about it again.

By 2023, the Internet was full of Windows servers with port 1801 open, MSMQ running, and nobody who remembered why.

In April 2023, Check Point Research disclosed CVE-2023-21554 — nicknamed QueueJumper.³

The flaw was in how MSMQ parsed incoming message headers. A specially crafted packet sent to port 1801 could trigger an out-of-bounds write in MQQM.DLL, leading to remote code execution in the context of the Windows service process. No authentication required. No user interaction. Just send the packet.

CVSS score: 9.8.

The same disclosure revealed two additional vulnerabilities reachable through port 1801: CVE-2023-28302 (denial of service via malformed headers) and another memory corruption issue.⁴ Microsoft patched all three in the April 2023 Patch Tuesday.

Security Considerations

If MSMQ is running and you don't need it, turn it off. Port 1801 should not be reachable from the Internet under any normal circumstances.

Check if MSMQ is running on Windows:

# Check if MSMQ service is running
Get-Service -Name MSMQ

# Check if port 1801 is listening
netstat -ano | findstr :1801

On Linux, check with:

ss -tlnp | grep 1801
# or
lsof -i :1801

If MSMQ is legitimately in use, firewall port 1801 to allow only the specific Windows hosts that need to communicate with each other. It should never be reachable from arbitrary IP addresses.

Related Ports

MSMQ uses several ports together: