The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SQL injection vulnerability in Microsoft Configuration Manager to its Known Exploited Vulnerabilities (KEV) catalogue.
The threat actors are actively exploiting the flaw in the wild. The addition signals immediate risk to organisations using the enterprise management platform.
SQL Injection Enables Command Execution
Tracked as CVE-2024-43468, the vulnerability allows unauthenticated remote attackers to execute arbitrary commands on affected servers and underlying databases by sending specially crafted requests to vulnerable Configuration Manager environments.
The flaw stems from unsafe processing of user-supplied input, a weakness classified under CWE-89 for improper neutralization of SQL commands.
Microsoft Configuration Manager, used by enterprises worldwide to manage large-scale IT infrastructure, becomes a high-value target when compromised, potentially providing attackers with extensive network access and control over managed endpoints.
The vulnerability’s exploitation does not require authentication, significantly lowering the barrier for threat actors to compromise vulnerable systems.
Once exploited, attackers gain the ability to manipulate database contents, extract sensitive configuration data, modify system settings, or pivot deeper into enterprise networks.
The severity of this flaw is amplified by Configuration Manager’s privileged position within corporate environments, where it typically maintains credentials and access to thousands of devices.
CISA’s February 12, 2026 advisory mandates federal agencies apply vendor-provided mitigations by March 5, 2026, following Binding Operational Directive 22-01 requirements.
Organizations using cloud-based deployments must follow applicable BOD 22-01 guidance for cloud services, while those unable to implement mitigations should discontinue product use until patches are available.
Though CISA has not confirmed whether the vulnerability is being leveraged in ransomware campaigns, the flaw’s characteristics make it attractive for initial access operations commonly preceding ransomware deployment.
Microsoft released security updates addressing CVE-2024-43468, and organizations should prioritize patching Configuration Manager installations immediately.
Security teams should review logs for suspicious SQL queries, unusual database activity, or unauthorized command execution attempts.
Network segmentation and restricting Configuration Manager access to trusted networks can reduce exposure while patches are deployed.
The active exploitation status underscores the urgency of remediation, as threat actors frequently target enterprise management platforms to establish persistent footholds and move laterally across networks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
