CISA has issued an urgent alert about a critical SQL injection vulnerability in Microsoft Configuration Manager (SCCM).
Tracked as CVE-2024-43468, this flaw lets unauthenticated attackers run malicious commands on servers and databases.
Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on February 12, 2026, agencies must patch by March 5, 2026, or face federal mandates.
Microsoft Configuration Manager helps IT teams manage devices, deploy software, and handle updates across Windows networks.
The bug affects its console services, where poorly sanitized user input can lead to SQL injection attacks. Attackers craft special HTTP requests to the SCCM server.
These requests trick the system into executing arbitrary SQL queries on the backend SQL Server database.
From there, hackers can dump sensitive data, escalate privileges, or run OS commands, making the way for ransomware, data theft, or full network compromise.
CISA reports active exploitation in the wild, though details on specific campaigns remain unknown. Ransomware groups often target management tools like SCCM for quick lateral movement.
The vulnerability on severe, while an exact CVSS score isn’t public yet, SQL injection flaws like this (linked to CWE-89) typically rate 8.0+ due to the potential for remote code execution.
Microsoft released patches as part of its November 2024 Patch Tuesday update. Affected versions include SCCM 2303 and earlier; upgrade to 2311 or later and apply the fix via KB5044285 or newer.
Key steps:
ActionDetailsImmediate ActionsScan with Defender or SSMS for suspicious queries.Patch FastInstall updates; test before production rollout.MitigateBlock untrusted IPs, enable IIS protection, use least privilege.Cloud TwistEnable MFA, logging, and zero-trust for Azure setups.
Immediate Actions: Scan environments with tools like Microsoft Defender or SQL Server Management Studio for anomalous queries.
Patch Fast: Download updates from Microsoft Update Catalog. Test in staging first to avoid disrupting console access.
Mitigate: Block inbound traffic to SCCM ports (e.g., 80/443, 1433) from untrusted IPs using firewalls. Enable SQL injection protection in IIS and use least-privilege database accounts.
If patching isn’t viable, CISA advises discontinuing the product. Organizations should hunt for signs of compromise, such as unusual SQL logs, failed authentications, or new admin accounts.
This joins a string of SCCM issues, underscoring the need for rapid patching in enterprise tools. Stay vigilant, check CISA’s KEV list and Microsoft’s security advisories.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns of Microsoft Configuration Manager SQL Injection Vulnerability Exploited in Attacks appeared first on Cyber Security News.
