CVE-2024-43468

Name of the Vulnerable Software and Affected Versions Microsoft Configuration Manager versions prior to 2403 (5.00.9128.1024) Microsoft Configuration Manager versions prior to 2309 (5.00.9122.1033) Microsoft Configuration Manager versions prior to 2303 (5.00.9106.1037) Microsoft Configuration Manager versions less than or equal to 2211

Description Microsoft Configuration Manager (ConfigMgr/SCCM) contains a critical SQL injection vulnerability in the MP Location service. This flaw allows unauthenticated, remote attackers to execute arbitrary SQL queries with the highest privileges on the Microsoft Configuration Manager site database. Successful exploitation can lead to remote code execution on affected systems. Proof-of-concept (PoC) code is publicly available. CISA has added this vulnerability (CVE-2024-43468) to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The vulnerability stems from improper neutralization of user-supplied input, specifically a failure to protect the SQL query structure. Exploitation involves sending crafted HTTP requests to the ConfigMgr console services. Approximately 37,000+ services are estimated to be affected globally.

Recommendations Microsoft Configuration Manager versions prior to 2403 (5.00.9128.1024): Apply the relevant Microsoft hotfix or upgrade to a newer version. Microsoft Configuration Manager versions prior to 2309 (5.00.9122.1033): Apply the relevant Microsoft hotfix or upgrade to a newer version. Microsoft Configuration Manager versions prior to 2303 (5.00.9106.1037): Apply the relevant Microsoft hotfix or upgrade to a newer version. Microsoft Configuration Manager versions less than or equal to 2211: Apply the relevant Microsoft hotfix or upgrade to a newer version. Restrict exposure of ConfigMgr/SQL ports (80/443/1433) to trusted networks. Hunt for anomalous SQL activity and new administrative accounts.