Full Report
As if admins haven't had enough to do this week Ignore patches at your own risk. According to Uncle Sam, a SQL injection flaw in Microsoft Configuration Manager patched in October 2024 is now being actively exploited, exposing unpatched businesses and government agencies to attack.…
Analysis Summary
# Vulnerability: Microsoft Configuration Manager Remote Code Execution via SQL Injection
## CVE Details
- **CVE ID:** CVE-2024-43468
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
## Affected Systems
- **Products:** Microsoft Configuration Manager (formerly MECM/SCCM)
- **Versions:** 2403 and earlier versions (Note: Specific builds depend on the October 2024 update cycle).
- **Configurations:** Systems where the Microsoft Configuration Manager server is accessible via the network, typically involving the primary site server or site systems.
## Vulnerability Description
CVE-2024-43468 is a critical SQL injection vulnerability. An unauthenticated, remote attacker can send specially crafted requests to a Microsoft Configuration Manager instance. Because the application fails to properly sanitize these inputs before including them in database queries, the attacker can execute arbitrary SQL commands against the underlying database or execute commands on the server itself, potentially leading to full administrative takeover.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV Catalog in February 2026).
- **Complexity:** Low (Requires no special privileges or user interaction).
- **Attack Vector:** Network (Remote).
- **PoC Available:** Yes (At least two proof-of-concept exploits have been published).
## Impact
- **Confidentiality:** High (Total access to the configuration database and managed client data).
- **Integrity:** High (Ability to modify server configurations or push malicious software to managed devices).
- **Availability:** High (Potential for database corruption or system shutdown).
## Remediation
### Patches
- Microsoft addressed this vulnerability in the **October 2024 Security Update**.
- Users should ensure they are running supported versions of Microsoft Configuration Manager (e.g., version 2403 with the applicable hotfix or newer releases).
### Workarounds
- There are no official functional workarounds that do not involve patching.
- Restricting access to the Configuration Manager site systems at the network level (firewalling) can reduce the attack surface.
## Detection
- **Indicators of Compromise:** Monitor SQL Server logs for unusual queries, specifically those involving `xp_cmdshell` or unexpected administrative commands. Watch for unauthorized command execution originating from the `smsexec.exe` process.
- **Detection methods and tools:**
- Use CISA’s Known Exploited Vulnerabilities (KEV) catalog as a reference for mandatory patching deadlines.
- Vulnerability scanners (Nessus, Qualys, Rapid7) updated with October 2024 definitions.
- Check Microsoft Configuration Manager "Updates and Servicing" node to verify patch installation status.
## References
- CISA KEV Catalog: hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- Microsoft Security Response Center (MSRC): hxxps[://]msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43468
- Original Reporting: hxxps[://]www.theregister.com/2026/02/13/cisa_cve_2024_43468/