Attackers finally get around to exploiting critical Microsoft bug from 2024
Summary
A critical SQL injection flaw in Microsoft Configuration Manager (CVE-2024-43468), patched by Microsoft in October 2024, is now listed by CISA as actively exploited. The vulnerability carries a 9.8 severity rating and allows unauthenticated remote attackers to execute commands against the Configuration Manager server or its underlying database. CISA added the CVE to its Known Exploited Vulnerabilities catalogue and set a 5 March deadline for federal agencies to apply the patch. Proof-of-concept exploits have since been published, increasing the risk to unpatched organisations.
Key Points
- CVE-2024-43468 is a 9.8-rated SQL injection in Microsoft Configuration Manager that permits unauthenticated, remote command execution.
- CISA added the CVE to its Known Exploited Vulnerabilities catalogue and requires federal agencies to patch by 5 March 2026.
- Microsoft patched the flaw in October 2024 and initially assessed “exploitation less likely,” but that assessment has changed as PoCs are now public and exploitation observed.
- The bug was reported by Mehdi Elyassa of Synacktiv; Microsoft has not provided details on attackers or impact scope at the time of reporting.
- CISA currently lists it as under active exploitation but says it is “unknown” whether the CVE has been used in ransomware incidents.
Why should I read this?
Short version: if you run Configuration Manager and haven’t patched, you’re on the naughty list. This one’s easy to weaponise and very noisy in the wild now — patch ASAP unless you fancy a painful incident response over a long weekend.
Author’s take
Punchy and blunt: this is the kind of vulnerability every sysadmin dreads. It sat around for months while being labelled low-risk, and now it’s being exploited. Read the detail and act fast — don’t wait for an alert to force your hand.
Context and Relevance
Configuration Manager is widely used to manage Windows endpoints across enterprises and public-sector organisations, so a high-severity SQL injection there has broad impact. The CISA KEV listing imposes a compliance deadline on US federal agencies, which underscores the seriousness and expected real-world exploitation. This case also illustrates a growing trend: vulnerabilities once rated “less likely” to be exploited can become high-risk once proofs-of-concept appear, and attackers often move quickly after PoCs are published.
For IT teams: prioritise patching Configuration Manager instances, verify patch deployment, and monitor for suspicious activity around management servers and related databases. If you deferred the October 2024 update, treat this as urgent.