CISA Flags Actively Exploited CVE-2024-43468: Critical Unauthenticated SQL Injection in Microsoft Configuration Manager Enables Remote Code Execution

In late 2024 a critical security vulnerability affecting Microsoft Configuration Manager—Microsoft’s widely-used systems management product (formerly SCCM / ConfigMgr)—was publicly disclosed and subsequently added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog after evidence of active attacks.

What is CVE-2024-43468?

CVE-2024-43468 is an unauthenticated SQL injection vulnerability in Microsoft Configuration Manager’s MP_Location service, tracked as a Remote Code Execution (RCE) weakness. The vulnerability exists due to improper validation of user-controlled input in database queries, allowing crafted requests to execute arbitrary SQL commands with high privileges.

According to the National Vulnerability Database’s entry:

Severity: Critical
CVSS v3.1 Score: 9.8
Attack Vector: Network (no credentials required)
Impact: Complete compromise of confidentiality, integrity, and availability of affected systems
Weakness Type: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)

Technical Details

The flaw resides in the MP_Location service that processes HTTP messages from managed client machines. Because some input values (notably SourceID fields) are not properly sanitized, attackers can inject and manipulate SQL queries directly within the backend database.

Key consequences of exploitation include:

Arbitrary SQL execution under the SMS service account, which has sysadmin privileges.
Remote code execution via SQL Server features such as xp_cmdshell, allowing arbitrary OS command execution.
Attack code is publicly available, making exploitation significantly easier for attackers.

Synacktiv’s advisory shows that this issue affects several product versions including Configuration Manager 2403, 2309, and 2303, and demonstrates two distinct unauthenticated SQL injection vectors.

Discovery, Disclosure, and Patch History

The vulnerability was responsibly reported to Microsoft in August 2024 and confirmed shortly thereafter. A patch was released as part of Microsoft’s October 2024 Patch Tuesday updates, followed by hotfix revisions to fully address the issue.

Timeline highlights include:

Aug 5, 2024: Initial advisory sent to Microsoft
Sep–Oct 2024: Microsoft issues and revises fix releases
Oct 8, 2024: Official CVE publication and patch availability
Jan 2025: Technical advisory and exploit details became public

Active Exploitation and CISA KEV Inclusion

In February 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-43468 to its Known Exploited Vulnerabilities Catalog, signaling that real-world exploitation by threat actors has been observed or is likely underway. Federal civilian agencies now have mandatory deadlines to patch or mitigate the flaw under Binding Operational Directive (BOD) 22-01.

This addition elevates the urgency of remediation for organizations using Configuration Manager, as CISA’s catalog entries typically reflect vulnerabilities either under active attack or widely leveraged in the wild by adversaries.

Why This Matters

Microsoft Configuration Manager is core infrastructure for many enterprise environments—used for software deployment, patch management, inventory, and remote control. An unauthenticated flaw that can lead to:

Complete database compromise
Execution of arbitrary administrative actions
Potential infrastructure takeover

…makes CVE-2024-43468 particularly dangerous for organizations that have not applied the patch or mitigation guidance.

Mitigation and Recommended Actions

Administrators responsible for Configuration Manager installations should:

Immediately apply the Microsoft patches released for affected versions.
Review network exposure of Management Point (MP) endpoints and restrict external access.
Monitor logs and network traffic for suspicious SQL injection attempts.
Follow guidance from CISA’s KEV Catalog and Microsoft Security Response Center for threat hunting and incident response procedures.

Conclusion

CVE-2024-43468 represents a severe and actively exploited vulnerability in widely deployed enterprise management software. With a CVSS score of 9.8 and public exploit code circulating, organizations must prioritize remediation to prevent compromise of critical systems and data.