CISA Warns: Microsoft Config Manager SQLi Configuration Injection
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical SQL injection vulnerability affecting Microsoft Configuration Manager (SCCM). Tracked as...
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical SQL injection vulnerability affecting Microsoft Configuration Manager (SCCM).
Tracked as CVE-2024-43468, this flaw lets unauthenticated attackers run malicious commands on servers and databases.
Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on February 12, 2026, agencies must patch by March 5, 2026, or face federal mandates.
Microsoft Configuration Manager helps IT teams manage devices, deploy software, and handle updates across Windows networks.
The bug affects its console services, where poorly sanitized user input can lead to SQL injection attacks. Attackers craft special HTTP requests to the SCCM server.
These requests trick the system into executing arbitrary SQL queries on the backend SQL Server database.
From there, hackers can dump sensitive data, escalate privileges, or run OS commands, making the way for ransomware, data theft, or full network compromise.
CISA reports active exploitation in the wild, though details on specific campaigns remain unknown. Ransomware groups often target management tools like SCCM for quick lateral movement.
The vulnerability on severe, while an exact CVSS score isn’t public yet, SQL injection flaws like this (linked to CWE-89) typically rate 8.0+ due to the potential for remote code execution.
Microsoft released patches as part of its November 2024 Patch Tuesday update. Affected versions include SCCM 2303 and earlier; upgrade to 2311 or later and apply the fix via KB5044285 or newer.
Key steps:
| Action | Details |
|---|---|
| Immediate Actions | Scan with Defender or SSMS for suspicious queries. |
| Patch Fast | Install updates; test before production rollout. |
| Mitigate | Block untrusted IPs, enable IIS protection, use least privilege. |
| Cloud Twist | Enable MFA, logging, and zero-trust for Azure setups. |
Immediate Actions: Scan environments with tools like Microsoft Defender or SQL Server Management Studio for anomalous queries.
Patch Fast: Download updates from Microsoft Update Catalog. Test in staging first to avoid disrupting console access.
Mitigate: Block inbound traffic to SCCM ports (e.g., 80/443, 1433) from untrusted IPs using firewalls. Enable SQL injection protection in IIS and use least-privilege database accounts.
If patching isn’t viable, CISA advises discontinuing the product. Organizations should hunt for signs of compromise, such as unusual SQL logs, failed authentications, or new admin accounts.
This joins a string of SCCM issues, underscoring the need for rapid patching in enterprise tools. Stay vigilant, check CISA’s KEV list and Microsoft’s security advisories.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.