“`html
CISA has released a crucial warning regarding a significant SQL injection vulnerability in Microsoft Configuration Manager (SCCM).
Identified as CVE-2024-43468, this vulnerability permits unauthenticated attackers to execute harmful commands on servers and databases.
Incorporated into CISA’s Known Exploited Vulnerabilities (KEV) database on February 12, 2026, agencies must apply patches by March 5, 2026, or confront federal regulations.
Microsoft Configuration Manager aids IT teams in overseeing devices, distributing software, and managing updates across Windows networks.
The flaw impacts its console services, where inadequately sanitized user inputs can facilitate SQL injection attacks. Attackers construct specific HTTP requests targeting the SCCM server.
Such requests deceive the system into carrying out arbitrary SQL queries on the backend SQL Server database.
Consequently, cybercriminals can extract sensitive information, elevate privileges, or execute OS commands, paving the way for ransomware, data breaches, or complete network takeover.
CISA reports ongoing exploitation in the field, though particulars on specific operations remain undisclosed. Ransomware collectives frequently target management utilities like SCCM for rapid lateral movement.
The vulnerability is severe, while an exact CVSS score hasn’t been released yet, SQL injection vulnerabilities like this (associated with CWE-89) usually score 8.0+ due to the risk of remote code execution.
Microsoft has issued updates as part of its November 2024 Patch Tuesday release. Vulnerable versions incorporate SCCM 2303 and earlier; upgrade to 2311 or beyond and implement the fix via KB5044285 or newer.
Essential measures:
| Action | Details |
|---|---|
| Immediate Actions | Conduct scans using Defender or SSMS for unusual queries. |
| Patch Swiftly | Apply updates; test prior to production deployment. |
| Mitigate | Restrict untrusted IPs, activate IIS protection, and apply least privilege. |
| Cloud Adaptation | Enable MFA, logging, and zero-trust for Azure configurations. |
Immediate Actions: Examine environments with tools such as Microsoft Defender or SQL Server Management Studio for irregular queries.
Patch Swiftly: Download updates from Microsoft Update Catalog. Validate in staging first to avert interrupting console access.
Mitigate: Block inbound traffic to SCCM ports (e.g., 80/443, 1433) from unverified IPs using firewalls. Activate SQL injection safeguards in IIS and utilize least-privilege database accounts.
If patching isn’t feasible, CISA recommends discontinuing the product. Organizations should search for indications of compromise, such as abnormal SQL logs, failed login attempts, or newly created admin accounts.
This adds to a series of SCCM challenges, emphasizing the necessity for prompt patching in enterprise tools. Remain vigilant, check CISA’s KEV registry and Microsoft’s security advisories.
“`