.webp "CISA Alerts Active SQL Injection in SCCM")
A newly added CVE-2024-43468, a severe SQL injection vulnerability in Microsoft Configuration Manager (SCCM), also known as Microsoft Endpoint Configuration Manager, has been added to the Known Exploited Vulnerabilities (KEV) catalog.
Announced on February 12, 2026, this entry signals real-world exploitation, giving organizations a tight deadline of March 5, 2026, to mitigate or retire affected systems.
As the authoritative source for in-the-wild vulnerabilities, CISA’s KEV catalog helps defenders prioritize amid a flood of CVEs and integrates seamlessly with vulnerability management frameworks.
CVE-2024-43468 arises from flawed input validation in SCCM’s wweb-basedservices, particularly the management point (MP) and distribution point (DP) roles.
These components expose HTTP/S endpoints that process user input without proper sanitization, directly mapping to CWE-89 (SQL Injection).
An unauthenticated remote attacker crafts malicious requests , thinkingURL encoded payloads injected into query strings or POST bodies like
/SMS_MP/.sms_aut?MPSiteCode=ABC&type=InventoryData&ID=1' UNION SELECT @@version--Tricking the backend SQL Server into executing arbitrary commands.
Successful exploitation grants database-level access, often escalating to OS level RCE via extended stored procedures like xp_cmdshell.
Attackers can then enumerate SCCM’s inventory data (device lists, software configs), dump credentials from linked Active Directory integrations, or pivot laterally using SCCM’s client messaging protocols (TCP/10123).
CVE Table
| Attribute | Details |
|---|---|
| CVE ID | CVE-2024-43468 |
| Product | Microsoft SCCM |
| Type | SQL Injection (CWE-89) |
| KEV Add Date | 2026-02-12 |
| Due Date | 2026-03-05 |
In observed attacks, threat actors have chained this with living off the land binaries (LOLBins) like certutil.exe for payload delivery, targeting air gapped segments managed via SCCM.
While CISA lists ransomware ties as “unknown,” the vulnerability’s low barrier to entry (no auth, standard ports) mirrors tactics used in campaigns like LockBit or BlackCat.
Microsoft addressed this in its November 2024 Patch Tuesday (KB5044384 for branch 2309 and newer), introducing parameterized queries and input escaping in affected IIS modules.
Yet, scanning data from Shadowserver and others shows that thousands of internet-facing SCCM instances remain unpatched, clustered in the healthcare, manufacturing, and government sectors where SCCM’s endpoint orchestration is entrenched.
Defenders face challenges: SCCM’s complexity means patches require console updates, boundary group tweaks, and client rollouts across fleets.
False positives in testing environments have delayed adoption. CISA recommends treating KEV entries as “must-fix now,” aligning with BOD 22-01 for federal systems and cloud services.
Practical hunting starts with Shodan queries for “SMS_MP” banners or Nmap scripts (nmap -p80,443 --script http-sccm-detect). Validate exploits cautiously in labs using SQLmap with --level=5 --risk=3.
| Mitigation | Action |
|---|---|
| Patch | Apply KB5044384 (SCCM 2309+) |
| Restrict Access | Firewall 80/443 to trusted IPs |
| WAF Rules | OWASP CRS SQLi protection |
| SQL Hardening | Disable xp_cmdshell; enable logging |
| Scan/Monitor | Nuclei/sqlmap scans; IIS/SQL logs |
| Fallback | Migrate to Intune if unpatchable |
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
