Critical SQL Injection Bug Now Actively Targeted
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a severe Microsoft Configuration Manager vulnerability—tracked as CVE-2024-43468—to its Known Exploited Vulnerabilities (KEV) catalog. The move confirms that attackers are now actively exploiting the flaw, nearly four months after Microsoft issued a patch in October 2024.
The vulnerability carries a CVSS score of 9.8 and allows unauthenticated remote attackers to execute arbitrary commands on affected servers and databases. Under Binding Operational Directive 22-01, U.S. federal agencies have until March 5, 2026, to apply the required mitigations.
Four-Month Gap Between Patch and Exploitation
Microsoft initially addressed the issue during its October 2024 Patch Tuesday release. The flaw was discovered by French security firm Synacktiv, which later published a detailed technical analysis and proof-of-concept exploit in January 2025.
The SQL injection vulnerability resides in the MP_Location service, which processes client messages without adequate sanitization. Attackers can exploit this weakness through unauthenticated requests, enabling them to run arbitrary SQL commands with sysadmin-level privileges and potentially activate the xp_cmdshell feature for remote code execution.
Microsoft Configuration Manager—formerly known as System Center Configuration Manager (SCCM)—is widely deployed across enterprise environments to manage Windows devices, push updates, deploy applications, and handle system imaging across large networks.
Part of a Broader KEV Update
CISA included the Microsoft flaw as part of a broader KEV update on February 12, which added three other actively exploited vulnerabilities:
- CVE-2025-15556 – Notepad++ integrity check bypass
- CVE-2025-40536 – SolarWinds Web Help Desk security control bypass
- CVE-2026-20700 – Apple buffer overflow impacting iOS, iPadOS, macOS and related platforms
The Apple flaw, reported by Google’s Threat Analysis Group, is believed to be exploited by nation-state or commercial spyware actors.
Immediate Action Recommended
Although Microsoft has not updated its advisory with new exploitation details, CISA’s inclusion signals that the vulnerability poses a confirmed active threat. Both federal and private organizations are urged to review the KEV catalog and ensure all listed issues are promptly patched.
Organizations running Configuration Manager versions 2303, 2309, or 2403 should verify that Microsoft’s security update has been fully applied to avoid potential compromise.
